As predicted last week, Microsoft published six new security bulletins for the July Patch Tuesday, and only two of them are rated as Critical. There are also three Important, and one Moderate security bulletin this month. The two Critical security bulletins are a cumulative update for Internet Explorer and a patch for an issue with Windows Journal that could allow an attacker to execute malicious code remotely on the vulnerable system. The Important security bulletins address flaws with the on-screen keyboard, ancillary function driver (AFD) and DirectShow, and the Moderate security bulletin deals with a potential denial of service vulnerability in Microsoft Service Bus.
It seems concerning that Internet Explorer still has so many vulnerabilities. Microsoft has fixed 83 flaws in its browser just in the last 45 days or so. “It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal,” said Marc Maiffret, CTO of BeyondTrust.
The other Critical security bulletin—MS14-038—is an example of how obscure or rarely used software can still pose a potential risk. Windows Journal is installed by default in most supported versions of Windows but isn’t commonly used.
“In this case, the attack surface can be greatly reduced by uninstalling the affected software or removing associations with the unused program,” said Craig Young, security researcher for Tripwire. “One of the best tactics for hardening systems is to remove software or features which are not needed. Doing so protects systems by limiting the lines of code exposed to an attacker and every line of code presents new opportunities for attacks to succeed.”
“MS14-039, MS14-040, and MS14-041 fix the issues disclosed in this year’s pwn2own contest via the Zero Day Initiative’s responsible disclosure process,” said Ross Barrett, senior manager of security engineering for Rapid7. “They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI’s embargo has been fulfilled, that exploit code may become publicly available.”
Tyler Reguly, manager of security research for Tripwire, sums up with this advice. “IT teams will want to focus on the two critical issues affecting Internet Explorer and Windows Journal. If you cannot apply updates immediately, there are workarounds for both of these critical flaws. Users can switch to a new browser, making sure to set the new browser as the default, and disable any Windows Journal .JNT file associations. While a patch is always preferred, limiting the attack surface is a good backup.”