Microsoft released four bulletins last night to fix 42 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server.
Microsoft recommended fixing the only critical-rated patch,MS14-052, first as this also includes new functionality to block out-of-date ActiveX controls. Craig Young, security researcher at Tripwire, said that despite this being a slow month for Microsoft patches, this ‘in-the-wild’ was being addressed in an attempt to limit the capability of exploit kits that have been identified as using an information disclosure technique to determine if particular security software were installed.
He said: “The flaw allows a malicious website to determine if a software package is installed by querying the availability of a DLL used by that software. Information regarding active security products on a target is very useful for an attacker; it allows them to avoid raising alarms by sending detectable payloads.”
Russ Ernst, director of product management at Lumension, said: “Of the 37 CVEs, just one, CVE-2014-7331, is publicly known at this time and is under active attack. It’s an information disclosure vulnerability being used by the bad guys for targeting vulnerable systems, and has been used in combination with other vulnerabilities to bypass ASLR.”
Wolfgang Kandek, CTO of Qualys, said that CVE-2013-7331 allows attackers to determine remotely through a webpage the existence of local pathnames, UNC share pathnames, intranet hostnames and intranet IP addresses by examining error codes.
“This capability has been used in the wild by malware to check if anti-malware products or Microsoft’s Enhanced Mitigation Toolkit (EMET) is installed on the target system and allows the malware to adapt its exploitation strategy. The remaining 36 vulnerabilities that are addressed by MS14-052 all allow for Remote Code Execution (RCE) and are the reason for the Critical rating by Microsoft.”
The other patch which was seen as crucial to fix, despite only being rated as important, was
MS14-054. Young said that this should also be high on IT admins patch list as Microsoft expects to see reliable task scheduler exploits developed within a month. He said: “Successful exploitation of this vulnerability would allow any user to take complete control of the affected system.”
Ernst said that this should be second on a list of priorities, as it is an elevation of privilege vulnerability for one privately disclosed CVE in Task Scheduler. RegardingMS14-053, Kandek said: “This is only rated as ‘Important’ but, in our opinion, should be treated as ‘Critical’ if you have ASP.NET framework installed with your IIS webserver. If left unpatched, remote un-authenticated attackers can send HTTP/HTTPS request to cause resource exhaustion, which will ultimately lead to denial-of-service condition on the ASP.NETweb server.”
