Microsoft released seven bulletins last night, patching two critical flaws and addressing 66 Common Vulnerabilities and Exposures for Windows, Internet Explorer and Office.
Wolfgang Kandek, CTO of Qualys, said that this brings the half-year total to 36, ten behind last year’s pace which was 46. “We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year,” he said.
“This runs counter to the general tendency of the year which has already seen its shares of big breaches, zero-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.”
Regarding priorities, Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, said that the bulletin MS14-035 for Internet Explorer resolves 59 items, including CVE-2014-1770. “The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cyber criminal,” he said.
“We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin. While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.”
Kandek said: “This addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed two and a half weeks ago by vulnerability broker ZDI.
“ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers. Given the volume of work that we do through web browsers, apply this update first.”
Craig Young, security researcher at Tripwire, said: “Although no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code.”
Russ Ernst, director of product management at Lumension, said: “The second critical patch this month is MS14-036. This is a far-reaching vulnerability in Microsoft Graphics component that could allow a remote code execution. The two CVEs are not currently under known attack but the impacted software list is extensive: all versions of Windows, Office, Lync and Live Meeting. Given this extensive list of impacted applications and systems, administrators should have their test systems up to date to ensure a smooth roll-out.”
However Kandek said that the next priority is the Microsoft Word update, MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). “Microsoft rates it only “important” because user interaction is required – one has to open a Word file – but it allows the attacker Remote Code Execution,” he said.
Ernst, said: “Notably, MS14-036 and MS14-031 impact Windows Server 2003 so this is a good time to note its impending end of life in July, 2015. We are coming up on just a year out now and because any changes to your data cenre environment will likely require a significant amount planning and work, it isn’t too soon to get that plan started.”