Security
Headlines
HeadlinesLatestCVEs

Headline

Assessing risk for the May 2014 security updates

Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-029(Internet Explorer) Victim browses to a malicious webpage.

msrc-blog
#vulnerability#web#mac#windows#microsoft#dos#backdoor#auth

Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max exploit-ability

Likely first 30 days impact

Platform mitigations and key notes

MS14-029(Internet Explorer)

Victim browses to a malicious webpage.

Critical

1

Likely to continue to see exploits leveraging CVE-2014-1815.

This update includes the fix for CVE-2014-1776, first addressed by the MS14-021 out-of-band security update on May 1. However, MS14-029 is not a cumulative security update. Please first install the last cumulative security update for Internet Explorer before applying this update.

MS14-024(Common Controls - MSCOMCTL)

Victim opens malicious RTF document

Important

n/a

Security Feature Bypass only. Not likely to be exploited directly for code execution.

This vulnerability has been leveraged as the ASLR bypass for in-the-wild exploits leveraging the following CVE’s:- CVE-2012-0158 - CVE-2012-1856 - CVE-2013-3906 - CVE-2014-1761Installing this update will prevent this control from being used as an ASLR bypass in any potential future exploits.

MS14-025(Group Policy Preferences)

Attacker having already compromised a domain-joined workstation leverages that access to query Group Policy Preferences to potentially discover obfuscated domain account credentials.

Important

1

Likely to continue seeing attackers use this “post-exploitation” technique to move laterally across enterprise network.

Security update prevents the feature from being used in the future but requires administrators to take action to remove passwords previously stored and still available. This issue and the methods for preventing its abuse are described in more detail at this SRD blog post.

MS14-027(Shell)

Attacker already running code on a machine as low privilege user takes advantage of elevated/high privileged process calling ShellExecute to elevate the low privileged process.

Important

1

Discovered in use by limited number of commodity malware samples. Likely to continue seeing malware attempt to leverage this vulnerability to escalate from low privilege to higher privilege.

Observed in the following malware families, each of which is already blocked by Microsoft anti-malware products:Backdoor:Win32/Koceg Backdoor:Win32/Optixpro.T Backdoor:Win32/Small Backdoor:Win32/Xtrat PWS:Win32/Zbot Rogue:Win32/Elepater Rogue:Win32/FakeRean Trojan:Win32/Dynamer!dtc Trojan:Win32/Malagent Trojan:Win32/Malex.gen Trojan:Win32/Meredrop Trojan:Win32/Otran Trojan:Win32/Rimod Trojan:Win32/Sisron TrojanDropper:Win32/Sirefef TrojanSpy:Win32/Juzkapy VirTool:MSIL/Injector VirTool:Win32/Obfuscator Virus:Win32/Neshta Worm:Win32/Autorun Worm:Win32/Fasong Worm:Win32/Ludbaruma Worm:Win32/Rahiwi

MS14-022(SharePoint)

Attacker able to upload arbitrary content to SharePoint server could potentially run code in the context of the SharePoint service account.

Critical

1

Likely to see reliable exploit emerge in next 30 days.

Attacker must be granted access to upload content to SharePoint server to trigger vulnerability. We haven’t typically seen this type of vulnerability widely exploited, despite its exploitable nature.

MS14-023(Office)

Attacker tricks victim into authenticating to Microsoft online service in such a way that authentication token can be captured and replayed by attacker.

Important

1

Likely to see reliable exploit emerge in next 30 days.

In addition to token replay vulnerability, this update also addresses a DLL preloading issue involving the Chinese grammar checker DLL. We’ve recently developed and posted updated documentation covering the best way to protect applications from this type of attack. You find that guidance in this blog post.

MS14-026(.NET Framework)

Custom application developed leveraging the .NET Remoting feature could grant attack code execution access in response to specially crafted data.

Important

1

Likely to see reliable exploit emerge in next 30 days.

.NET Remoting feature used very rarely, and primarily only with applications written based on .NET Framework version 2.

MS14-028(iSCSI)

Attacker able to reach iSCSI endpoint can potential cause persistent resource exhaustion denial-of-service attack on Windows host.

Important

3

Denial of service only. No chance for direct code execution.

- Jonathan Ness, MSRC engineering team

Related news

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

CVE-2022-38765: Canon Medical Software Security Updates

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

China-linked APT Flew Under Radar for Decade

Evidence suggests that a just-discovered APT has been active since 2013.

Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber Espionage Campaign

"Aoqin Dragon" has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"

Assessing risk for the April 2014 security updates

Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploitability Likely first 30 days impact Platform mitigations and key notes MS14-017(Word) Victim opens a malicious RTF or DOC/DOCX file.

Assessing risk for the December 2013 security updates

Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes MS13-096(GDI+ TIFF parsing) Victim opens malicious Office document.

msrc-blog: Latest News

Congratulations to the Top MSRC 2024 Q3 Security Researchers!