Microsoft released nine patches last night to cover two critically rated vulnerabilities.
On its monthly patch Tuesday, it addressed 37 common vulnerabilities and exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). It recommended focusing on the critical patches first.
The first is MS14-043 that fixes a vulnerability in Windows Media Centre, which could allow Remote Code Execution.
Russ Ernst, director of product management at Lumension, said: “MS14-043 covers a privately-disclosed CVE for a vulnerability in Windows 7, 8 and 8.1 when a malicious file is opened using Windows Media Center that could allow a remote code execution.
Karl Sigler, threat intelligence manager at Trustwave, said: “An attacker could create a malicious Microsoft Office file that invokes Windows Media Player and exploits this vulnerability. Exploitation could execute any code using the same user rights as the logged in user.
“This security update is rated Critical for all supported editions of Windows Media Centre TV Pack for Windows Vista, all supported editions of Windows 7 except Starter and Home Basic editions, Windows Media Centre when installed on Windows 8 Professional edition, and Windows Media Centre when installed on Windows 8.1 Professional edition.”
The other critical patch is MS14-051 that resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer, including Remote Code Execution. Ross Barrett, senior manager of security engineering at Rapid7, said: “This patch addresses the sole vulnerability to be actively exploited in the wild from in this month’s crop of issues, CVE-2014-2817 and the sole issue which is known to be publicly disclosed, but not known to be under active exploitation, CVE-2014-2819. Both of which are elevation of privilege issues.”
Wolfgang Kandek, CTO of Qualys, said that this was its highest priority, as most of the vulnerabilities can be exploited to reach Remote Code Execution and complete control of the targeted platform.
“Microsoft is aware of targeted attacks against vulnerability CVE-2014-2817 and rates this bulletin a ‘0’ on the Exploitability Index, which is an indication that attackers are exploiting at least one of the vulnerabilities,” he said.
“As a whole, the vulnerabilities affect all supported versions of Internet Explorer from IE6 to IE11. Attackers would trigger these vulnerabilities through a webpage that hosts the malicious code, which is the most common attack scenario besides phishing. Apply this bulletin first.”