Microsoft recently released its security patches for July 2014. Presented below are a few experts’ opinions and comments on this latest ‘Patch Tuesday’:
Wolfgang Kandek, CTO of Qualys, Inc.:
Microsoft has released six bulletins today, addressing a total of 29 vulnerabilities, plus three security related security advisories. Two of the bulletins are critical and can be used to get to Remote Code Execution (RCE). Overall a pretty normal Patch Tuesday even adding in the update for Flash that Adobe is coming out with. But July has also the release of the Oracle Critical Patch Update which will give IT administrators an additional 100+ updates to look at and decide how to apply them to their infrastructure taking exploitability and reachability of their devices into account.
This month’s biggest update is also the highest priority one: MS14-037 addresses 24 vulnerabilities in Internet Explorer (IE), almost all user-after-free type vulnerabilities and is valid for all versions (6-11) of Microsoft’s browser. There are no 0-days open for IE, which would dictate the shortest turn-around possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation. Its exploitability index is “1”, which means Microsoft rates it as relatively easy (less than 30 days of time) to reverse engineer the vulnerabilities and develop an exploit.
Unless you are running IE10, IE11 or Google Chrome you should look this month’s Adobe Flash fix as your second highest priority. Google Chrome, IE10 and IE11 embed Adobe Flash and update it automatically, so in that case you and your users do not have to do that . Everybody else, Internet Explorer 9 and lower, Firefox and Mac OS X (!) users should update their Flash installation manually. Details can be found in APS14-17 on Adobe’s website.
Next is MS14-038, which fixes a single file-format vulnerability in Windows Journal. I actually had to look up what Windows Journal is, because I had never heard of it. Journal is “notepad” for handwritten notes and first made its appearance in Windows XP Tablet Edition, so this is a vulnerability that really does not apply to a normal Windows XP system. However after XP, it has been included by default in all subsequent Windows versions: Vista, 7 and 8 and can be attacked through a specially formatted input file. The attack vector can be through web-browsing, email or IM or any other means that can be used to send you a .JNT file. Given its obscurity and the potential for more file format problems it is probably a reasonable measure to disable the file extension .JNT
The next three vulnerabilities are in all in Windows, are rated as “important” and provide local escalation of privileges:
– MS14-039: an update to the OnScreen Keyboard which allows the attacker to escape the IE sandbox. Any attack would be very visible as the onscreen keyboard would come up and certainly cause some consternation.
– MS14-040: updates the driver AFD.sys and fixes an escalation of privilege.
– MS14-041: a fix to DirectShow, which addresses another IE sandbox escape.
The last Microsoft bulletin MS14-042 fixes a Denial-of-Service problem in the Windows Service Bus (WBS). WBS is a rather new component in WIndows and most likely only rarely installed. It is an interesting reminder though that our architectures are not becoming simpler. We are constantly adding components to our systems, which bring their own vulnerabilities into the fold.
For Windows XP users: The majority of these vulnerabilities apply to your operating system, except the WIndows Journal application and Windows Service Bus weaknesses. The Internet Explorer vulnerabilities can certainly be exploited on XP as well as the Flash problem. XP users should evaluate urgently using a supported browser if they cannot move away from the operating system.
Craig Young, Security Researcher at Tripwire:
Windows Server administrators will be relieved that none of the holes being plugged by Microsoft this month can be used for remote code execution without user-interaction.
There is a long list of Internet Explorer CVEs as usual but, apart from that, this month is primarily addresses bugs that are more likely to be used after an attacker has gained low privileged code execution. This is not a good reason for security teams to relax this month though. Microsoft expects all but one of the bulletins will be exploited within the next 30 days, so it’s important to deploy these updates as soon as possible.
The critical vulnerability described in MS14-038 is a great example of how unused software can be abused by attackers. In this case Windows Journal, which is installed by default but isn’t commonly used, can lead to arbitrary code execution. In this case, attack surface can be greatly reduced by uninstalling the affected software or removing associations with the unused program. One of the best tactics for hardening systems is to remove software or features which are not needed. Doing so protects systems by limiting the lines of code exposed to an attacker and every line of code presents new opportunities for attacks to succeed.
Even if Journal is not used in your organization, it is crucial that all systems with Windows Journal are patched immediately as this file-format vulnerability can be exploited with just a simple file preview.
Tyler Reguly, Manager of Security Research at Tripwire:
This month is more of the same from Microsoft. Internet Explorer, file type vulnerabilities, and privilege escalation make up most of the list. I’m not sure if this speaks to the maturity of the process or a major flaw with security research. It could be that the only bugs left to find exist in this client-side software or it could be that lack of user education and poor computer usage habits make these the most logical target. I’d like to hope it’s the former but I suspect it’s the latter.
IT teams will want to focus on the two critical issues affecting Internet Explorer and Windows Journal. If you cannot apply updates immediately, there are workarounds for both of these critical flaws. Users can switch to a new browser, making sure to set the new browser as the default, and disable any Windows Journal .JNT file associations. While a patch is always preferred, limiting the attack surface is a good backup.
The single remote vulnerability this month affects the little known Microsoft Service Bus offering and is a denial of service vulnerability earning it the lowest patch priority this month. That said, if you use of this software, you should patch as soon as possible — attackers could use this vulnerability to disrupt business activities.