Microsoft released six security bulletins today for Patch Tuesday, including a critical update for Internet Explorer.
Of the six, two are rated ‘critical’, while three are rated ‘important’ and one is considered ‘moderate.’ All totaled, the bulletins address 29 vulnerabilities across Microsoft Windows, Microsoft Server Software and Internet Explorer.
“This new Internet Explorer bulletin covers over 24 different vulnerabilities including one publicly disclosed vulnerability,” said Marc Maiffret, CTO at BeyondTrust in a statement. “The publicly disclosed vulnerability is within the handling of Extended Validation Certificates or EV Certificates. Internet Explorer was not properly enforcing Extended Validation best practices by disallowing the use of wildcard certificates. While this vulnerability itself is bad, there are another 23 vulnerabilities that can result in a variety of remote code execution. It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday.”
All versions of Internet Explorer from 6 to 11 are affected, he added.
The other critical bulletin released today deals with a vulnerability in Windows Journal that could allow remote code execution if a user opens a specially-crafted Journal file.
“The security bulletin for Windows Journal addresses one privately reported CVE that could allow an attacker to execute code on your system if you open a malicious Windows Journal file,” blogged Dustin Childs, group manager of response communications with Microsoft Trustworthy Computing. “It’s worth noting that Windows Server versions do not have Windows Journal installed by default. That’s by design. You are always at less risk when you have fewer applications installed, so server systems ship with many optional components disabled. If you haven’t reviewed the applications installed on your server recently, now is a good time to do so. Reducing the attack surface will have a positive impact on the overall security of the server.”
Outside those two, the remaining vulnerabilities include three privilege escalation issues in Microsoft Windows and a publicly-disclosed denial-of-service vulnerability affecting the Microsoft Service Bus for Windows server.
“MS14-039, MS14-040 and MS14-041 fix the issues disclosed in this year’s Pwn2Own contest via the Zero Day Initiative’s responsible disclosure process,” explained Ross Barrett, senior manager of security engineering at Rapid7 in a statement. “They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI’s [HP’s Zero Day Initiative] embargo has been fulfilled, that exploit code may become publically available.”
“The odd one out this month is MS14-042…This affects the AMQP implementation which is part of the Microsoft Web Platformb package and is not installed by default with any OS version,” said Barrett. “This vulnerability would allow an authenticated user to cause a DoS. Technically this a publically-known issue since it was reported via an MSDN forum post. Any home user, and most enterprises, can safely ignore this one, but if you have this component you should patch.”
In addition to the Microsoft patches, Adobe Systems also made patches available today as well.
“Adobe has released a Flash Player update (APSB14-17),” noted Shavlik Technologies’ Chris Goettl, in a statement. “This makes six out of seven months this year Adobe has had a Patch Tuesday Flash update.”
“The release resolves three vulnerabilities, which could allow attackers to take control of the affected system,” he continued. “The first rejects malicious content from vulnerable JSONP callback APIs. The other two resolve security bypass vulnerabilities. Adobe has set this update as a Priority 1 and Shavlik recommends including this as a priority update for your maintenance this month.”