Microsoft released its heaviest patch bundle of 2014 last night, covering 13 vulnerabilities with eight bulletins.
Two of the bulletins are rated as critical and fix flaws in Internet Explorer and Sharepoint server. Wolfgang Kandek, CTO of Qualys, said that MS14-029 is top of the list and another surgical fix, similar to the out-of-band MS14-021 from May 1st. “MS14-021 addressed the zero-day CVE-2014-1776, which had been found in the wild by FireEye on April 26th,” he said.
“In a similar fashion MS14-029 addresses CVE-2014-1815, which was detected as having attacks in the wild by the Google Security Team. For good measure Microsoft also included MS14-021/CVE-2014-1776 in this bulletin, so if you have not installed it yet, you can just install MS14-029 and address both issues at the same time.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “One of the other common vulnerabilities and exposures (CVEs) fixed in this advisory is under limited, targeted attack. Also, there are two flavours of this patch for Windows 8.1 users, one for those who took the ‘Spring 2014 update rollup’ and one for those who did not.
“Not to mention that this is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available. IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure – not that they were well off to begin with.”
Looking at MS14-022, Russ Ernst, director of product management at Lumension, said: “Sharepoint users will want to pay close attention as it impacts 2007, 2010, 2013 and Microsoft Web Apps, otherwise known as Office Online. This one is for three CVEs, none under public attack, and they do require social engineering aimed at your users to trigger.”
Among the six “important” rated patches, Kandek said that MS14-024 and MS14-025 both provide fixes for issues that have been abused by malware, pen-testers and hackers alike. Ernst said that Ms14-026 is an elevation of privilege issue in Windows and the .NET framework, MS14-027 is a vulnerability in Windows Shell Handler that could allow an elevation of privilege. and MS14-028 is for 2 CVEs in iSCSI that could allow denial of service.
Tyler Reguly, manager of security research at Tripwire, said: “As a home user of Microsoft Office products, MS14-023 is very interesting to me. My family just migrated to Microsoft OneDrive and Office365 Home for all of our computing needs, and this vulnerability affects the passing of tokens in the OneDrive product; this means I’ll need to be hyper-vigilant in monitoring my families usage of these services until I can get the updates deployed across all of our computers.”
This is also the first month where no patches are issued for Windows XP. Kandek believed that any vulnerability for Windows Server 2003 is applicable to XP too, meaning that at least: MS12-029 (IE), MS12-024 (ASLR), MS12-025 (Group Profile), MS14-023 (not XP but Office 2003) patches will not be issued to XP.
“However, as we have seen, its market share is shrinking. If that tendency continues we will be close to zero per cent in another four months, even though we will probably see the inevitable flattening at the long-tail of the machine substitution,” he said.