It’s hard to imagine that we are already three-fourths of the way through 2014—at least as measured by Microsoft Patch Tuesdays. Today, Microsoft released four new security bulletins, but only one of them is Critical. Guess which one?
Yes. Internet Explorer. Once again Microsoft’s web browser takes center stage as the most crucial of the Patch Tuesday security bulletins. Microsoft resolved a grand total of 42 separate vulnerabilities this month, but 37 of those 42 are addressed in MS14-052—the cumulative update for Internet Explorer. One of the flaws fixed by MS14-052 is publicly known and actively under attack in the wild, which is why this security bulletin is Critical.
“The bulletin fixes zero day vulnerability CVE-2013-7331, which can be used to leak information about the targeted machine,” says Qualys CTO Wolfgang Kandek in a blog post. “CVE-2013-7331 allows attackers to determine remotely through a webpage the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes. This capability has been used in the wild by malware to check if anti-malware products or Microsoft’s Enhanced Mitigation Toolkit (EMET) is installed on the target system and allows the malware to adapt its exploitation strategy.”
Russ Ernst, director of product management for Lumension, says that MS14-054 should be your second priority. “This is an elevation of privilege vulnerability for one privately disclosed CVE in Task Scheduler," he says. "It’s rated important and Microsoft lists its deployment priority as 2.”
A successful exploit of this vulnerability could allow an attacker to execute code on the system with elevated privileges. An attack that can run with System privileges has the potential to do more damage than one running with standard user privileges.
There is also a Critical update today for Adobe Flash. The flaw can be exploited through a malicious web page or possibly through malicious Microsoft Office files to allow the attacker to remotely execute code on the affected system.
“These issues are grouped by Adobe as APSB14-21, but actually include 12 CVEs, of which most are top priority patching issues for embedded Flash in the browser," says Ross Barrett, senior manager of security engineering for Rapid7. "These issues affect Chrome on Mac, Windows and Linux, Internet Explorer 10 and 11, and any browser using the Flash Desktop Runtime. In effect this is almost everyone with a browser that has Flash support.”
As always, take a closer look at the security bulletins from Microsoft, as well as the updates from Adobe, and make sure you apply any appropriate patches as quickly as possible.