Outdated systems placing maritime vessels at ris... » Maritime vessels are under significant threat of cyber-attack because many are carrying outdated sof... Blesma gears up for annual fundraising initiativ... » Fundraisers from all over the country are getting ready for Blesma Week – the fundraising initiative... Optex Systems announces $1.12 Million Purchase O... » RICHARDSON, TX: Optex Systems, Inc. has announced it has received a $1.1 million purchase order to s... Wargaming sponsors TANKFEST 2016 » Wargaming is once again partnering with The Tank Museum, Bovington, to sponsor TANKFEST, one of the ... Symetrica presents compact and ultra-light weara... » Berkeley, CA: Symetrica has introduced a prototype wearable detector system that provides high-sensi... Encode launches first security analytics and res... » London, UK: Encode recently launched SaaS version and its managed security monitoring solution, offe... BeyondTrust CEO named finalist for the EY Entre... » PHOENIX: BeyondTrust has announced that its CEO, Kevin Hickey, has been named a finalist for the EY ... TALKTALK ADOPTS SKYGUARD’S MYSOS LONE WORKER ... » TalkTalk, the UK’s leading value for money provider of broadband, mobile and TV services, has turned... Tools, skills and budgets can help developers figh... » Tel Aviv, Israel: Checkmarx has  announced that three recent reports highlight the challenge faced b... Logicalis Europe announces membership of Global ... » London, UK: Logicalis Europe has announced that it has become the first corporate member of Unlockin...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Patch Tuesday June 2014

We are halfway through the year this month. Microsoft is publishing seven bulletins this month bringing the half-year total to 36. This is quite a bit below last year’s pace which was 46. We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.

 

The high priority item this month is Microsoft’s Internet Explorer (IE) Bulletin MS14-035. It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed 2 ½ weeks ago by vulnerability broker ZDI. ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer’s World Cup for example) or just links to pages e-mailed to potential victims with short enticing leads.

Given the volume of work that we do through web browsers, apply this update first.

Our second highest priority is not from Microsoft, but from Adobe. Adobe’s Flash player has a critical update and since attacker’s frequently use Adobe Flash as their tool of choice we recommend installing APSB14-16 next. It is rated critical by Adobe for Windows and Mac. Windows XP users will remain exposed as Adobe is not testing and distributing this update for XP anymore. Google Chrome and IE10/11 users get their updates automatically through the browser that includes Flash, which is a good security enhancing feature. I recommend to everybody switching to these browsers for easier and better security.

Next is the Microsoft Word update MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). Microsoft rates it only “important” because user interaction is required - one has to open a Word file - but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files. Who wouldn’t open a document that brings new information about the company’s retirement plan. The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.

The last critical update is MS14-036, which is a new version of the library GDI+. GDI+ parses graphics formats. Graphics parsing requires complex logic and has frequently been associated with attack vectors. It affects Windows, Office and the Lync IM client because they all bring their own copy. There are no known exploits at this time, as opposed to the last update to GDI+ (MS13-096), which addressed a 0-day. You should apply this update as quickly as possible.

The remaining vulnerabilities are:

MS14-033: an update to MSMXL that prevents the disclosure of the username.

MS14-030: updates RDP to prevent a MITM vulnerability that can be used to tamper with the session data.

MS14-031: updates the TCP/IP stack in Windows Vista and addresses a resource exhaustion issue that leads to a Denial of Service situation. Attackers can send specifically created packets with manipulated timestamps that prevent Windows from cleaning up kernel memory.

MS14-032: a new version Lync Server that addresses a cross-site scripting issue.

In other non-Microsoft news, you have probably also seen the release of a new OpenSSL version. The vulnerabilities addressed do not have the same exploitability than last month’s Heartbleed (HB) issue. With HB, attackers could run their code from any machine that had network access to the target; this new set requires the attacker to be a man-in-the-middle (MITM) between the two parties that communicate, and both parties need to be running OpenSSL. This is a pretty specific situation that does not apply to the typical browser-based scenarios. As curious security searchers continue their HB-inspired audits of the code base, you should consider this a first wave of issues and be prepared to react to more disclosures of this type. By the way, all previous versions of OpenSSL are affected (0.9.8, 1.0.0 and 1.0.1).

For Windows XP users: The majority of these vulnerabilities apply to your operating system, including remote code execution against IE (MS14-035), Word (MS14-034) and GDI+ (MS14-036). You should update or replace all XP machines with supported versions urgently.

Stay tuned to this blog for more developments