Microsoft and Adobe Systems released security updates today to fix a number of critical vulnerabilities.
The Microsoft updates address 13 vulnerabilities affecting Windows, Internet Explorer, SharePoint and other products. The bugs are addressed in a total of eight security bulletins. Six of these are rated ‘important’, while the other two – which deal with Internet Explorer and SharePoint – received Microsoft’s highest severity rating of ‘critical.’
MS14-029 is aimed at Internet Explorer, and addresses remote code execution vulnerabilities. One of them, CVE-2014-1815, is currently the subject of targeted attacks, according to the company.
“Unlike what we expected, this is another surgical fix, similar to the out-of-band MS14-021 from May 1,” blogged Wolfgang Kandek. “MS14-021 addressed the zero-day CVE-2014-1776, which had been found in the wild by FireEye on April 26. In a similar fashion MS14-029 addresses CVE-2014-1815, which was detected as having attacks in the wild by the Google Security Team. For good measure Microsoft also included MS14-021/CVE-2014-1776 in this bulletin, so if you have not installed it yet, you can just install MS14-029 and address both issues at the same time.”
Interestingly, Microsoft does not list the SharePoint vulnerability as the next important issue to prioritize; instead the company recommends focusing on MS14-024 and MS14-025.
MS14-024 can be exploited to allow an attacker to bypass security features if the user can be lured into clicking on a malicious website capable of instantiating COM components such as Internet Explorer, Microsoft explained. MS14-025 meanwhile could lead to elevation of privileges if Active Directory Group Policy preferences are used to distribute passwords across the domain – a practice that could permit an attacker to retrieve and decrypt the password stored with Group Policy preferences.
“MS14-024 is going to be the other high priority patch this month,” explained Chris Goettl, product manager at Shavlik. “Though it’s only ranked important, there have been limited attacks in the wild and it allows for an attacker to bypass security features, so it will be important to get this one out quickly. Fortunately, this exploit does seem to require a degree of user participation, which is likely why it’s ranked important, rather than critical.”
Though MS14-022, the other security bulletin rated ‘critical’, was not considered a high priority by Microsoft, system administrators should not disregard it, Goettl said.
“Admins should test this patch thoroughly to ensure all SharePoint sites stay online, but don’t hold off patching this one, as many admins are prone to do,” he said. “It’s a cross-site scripting issue that could allow a remote code execution, so be sure to put this patch at the top of your list.”
Microsoft also released an update for Windows 8 and Windows Server 2012 to enhance credential protection and domain authentication controls. These features are currently available for Windows 8.1 and Windows Server 2012 R2, and the company is making them available for other platforms. In addition, Microsoft released an update for the .NET Framework that disables Rivest Cipher (RC4) in Transport Layer Security (TLS). A final update revokes the digital signature for a specific Unified Extensible Firmware Interface module. This step was taken out of an “abundance of caution,” and Microsoft is not currently aware of any customer impact.
In addition to the Microsoft vulnerabilities, administrators must also address updates released by Adobe today for Acrobat, Flash Player, Reader and Adobe Illustrator.
“Since it is Adobe’s month to patch, they have updates for pretty much everything,” Goettl said. “The Adobe Reader and Acrobat updates are plugging 11 vulnerabilities. These are addressing a variety of issues, making it a pretty ugly priority one update. Along with the two critical Microsoft patches, it should be close to the top of your list this month.”
“Flash had a zero day vulnerability that was recently patched,” he added, “so if you haven’t issued that to users yet, be sure to do so. The new Flash release addresses six total vulnerabilities in addition to that zero-day. It’s a priority one for all Windows platforms and there will be an update to the Flash plugin for both IE and Chrome, so be sure to pay attention there. If you haven’t patched your Adobe products recently, it will be important to do.”
*This post was updated with additional information.