Assessing risk for the May 2014 security updates

Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max exploit-ability

Likely first 30 days impact

Platform mitigations and key notes

MS14-029(Internet Explorer)

Victim browses to a malicious webpage.

Critical

1

Likely to continue to see exploits leveraging CVE-2014-1815.

This update includes the fix for CVE-2014-1776, first addressed by the MS14-021 out-of-band security update on May 1. However, MS14-029 is not a cumulative security update. Please first install the last cumulative security update for Internet Explorer before applying this update.

MS14-024(Common Controls - MSCOMCTL)

Victim opens malicious RTF document

Important

n/a

Security Feature Bypass only. Not likely to be exploited directly for code execution.

This vulnerability has been leveraged as the ASLR bypass for in-the-wild exploits leveraging the following CVE’s:- CVE-2012-0158 - CVE-2012-1856 - CVE-2013-3906 - CVE-2014-1761Installing this update will prevent this control from being used as an ASLR bypass in any potential future exploits.

MS14-025(Group Policy Preferences)

Attacker having already compromised a domain-joined workstation leverages that access to query Group Policy Preferences to potentially discover obfuscated domain account credentials.

Important

1

Likely to continue seeing attackers use this “post-exploitation” technique to move laterally across enterprise network.

Security update prevents the feature from being used in the future but requires administrators to take action to remove passwords previously stored and still available. This issue and the methods for preventing its abuse are described in more detail at this SRD blog post.

MS14-027(Shell)

Attacker already running code on a machine as low privilege user takes advantage of elevated/high privileged process calling ShellExecute to elevate the low privileged process.

Important

1

Discovered in use by limited number of commodity malware samples. Likely to continue seeing malware attempt to leverage this vulnerability to escalate from low privilege to higher privilege.

Observed in the following malware families, each of which is already blocked by Microsoft anti-malware products:Backdoor:Win32/Koceg Backdoor:Win32/Optixpro.T Backdoor:Win32/Small Backdoor:Win32/Xtrat PWS:Win32/Zbot Rogue:Win32/Elepater Rogue:Win32/FakeRean Trojan:Win32/Dynamer!dtc Trojan:Win32/Malagent Trojan:Win32/Malex.gen Trojan:Win32/Meredrop Trojan:Win32/Otran Trojan:Win32/Rimod Trojan:Win32/Sisron TrojanDropper:Win32/Sirefef TrojanSpy:Win32/Juzkapy VirTool:MSIL/Injector VirTool:Win32/Obfuscator Virus:Win32/Neshta Worm:Win32/Autorun Worm:Win32/Fasong Worm:Win32/Ludbaruma Worm:Win32/Rahiwi

MS14-022(SharePoint)

Attacker able to upload arbitrary content to SharePoint server could potentially run code in the context of the SharePoint service account.

Critical

1

Likely to see reliable exploit emerge in next 30 days.

Attacker must be granted access to upload content to SharePoint server to trigger vulnerability. We haven’t typically seen this type of vulnerability widely exploited, despite its exploitable nature.

MS14-023(Office)

Attacker tricks victim into authenticating to Microsoft online service in such a way that authentication token can be captured and replayed by attacker.

Important

1

Likely to see reliable exploit emerge in next 30 days.

In addition to token replay vulnerability, this update also addresses a DLL preloading issue involving the Chinese grammar checker DLL. We’ve recently developed and posted updated documentation covering the best way to protect applications from this type of attack. You find that guidance in this blog post.

MS14-026(.NET Framework)

Custom application developed leveraging the .NET Remoting feature could grant attack code execution access in response to specially crafted data.

Important

1

Likely to see reliable exploit emerge in next 30 days.

.NET Remoting feature used very rarely, and primarily only with applications written based on .NET Framework version 2.

MS14-028(iSCSI)

Attacker able to reach iSCSI endpoint can potential cause persistent resource exhaustion denial-of-service attack on Windows host.

Important

3

Denial of service only. No chance for direct code execution.

- Jonathan Ness, MSRC engineering team