Exponential-e cuts carbon footprint by 68% » ISO 14001 and 50001 certifications make British cloud and network provider one of the most highly ce... RiskIQ partners with DataComm360 to accelerate a... » London: RiskIQ has announced that it has selected DataComm360 to be their distributor in the Middle ... Flexera Software launches AdminStudio Suite 2016... » Maidenhead, U.K.: Flexera Software has announced the latest release of AdminStudio Suite, the indust... ARMED FORCES DAY CELEBRATED ACROSS THE COUNTRY » Celebrations are underway today to mark the eighth annual Armed Forces Day, honouring the work and d... Wireless security skills need to prepare for the I... » The proliferation of new Wireless communication technologies within consumer electronics and smart d... Opengear achieves Cisco Compatibility Certificatio... » Sandy, Utah: Opengear has announced that its Resilience Gateway has successfully achieved Cisco comp... Brexit: “The vote in favor of Brexit has been a re... » Executive director of War on Want, Hilary is author of the book The Poverty of Capitalism: Economic ... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTO... » PART ONE Protesters against cultural imperialism in Nigeria. A treatise on pastoral jihadism, is... Databarracks recognised for second consecutiv... » London-based provider Databarracks has been recognised in Gartner’s June 2016 Magic Quadrant for Dis... INSURERS OFFER BETTER DEAL FOR ARMED FORCES PERS... » Armed Forces personnel posted overseas will from today (Saturday 25 June) be able to keep their moto...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Patch Tuesday June 2014

We are halfway through the year this month. Microsoft is publishing seven bulletins this month bringing the half-year total to 36. This is quite a bit below last year’s pace which was 46. We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.

 

The high priority item this month is Microsoft’s Internet Explorer (IE) Bulletin MS14-035. It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed 2 ½ weeks ago by vulnerability broker ZDI. ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer’s World Cup for example) or just links to pages e-mailed to potential victims with short enticing leads.

Given the volume of work that we do through web browsers, apply this update first.

Our second highest priority is not from Microsoft, but from Adobe. Adobe’s Flash player has a critical update and since attacker’s frequently use Adobe Flash as their tool of choice we recommend installing APSB14-16 next. It is rated critical by Adobe for Windows and Mac. Windows XP users will remain exposed as Adobe is not testing and distributing this update for XP anymore. Google Chrome and IE10/11 users get their updates automatically through the browser that includes Flash, which is a good security enhancing feature. I recommend to everybody switching to these browsers for easier and better security.

Next is the Microsoft Word update MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). Microsoft rates it only “important” because user interaction is required - one has to open a Word file - but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files. Who wouldn’t open a document that brings new information about the company’s retirement plan. The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.

The last critical update is MS14-036, which is a new version of the library GDI+. GDI+ parses graphics formats. Graphics parsing requires complex logic and has frequently been associated with attack vectors. It affects Windows, Office and the Lync IM client because they all bring their own copy. There are no known exploits at this time, as opposed to the last update to GDI+ (MS13-096), which addressed a 0-day. You should apply this update as quickly as possible.

The remaining vulnerabilities are:

MS14-033: an update to MSMXL that prevents the disclosure of the username.

MS14-030: updates RDP to prevent a MITM vulnerability that can be used to tamper with the session data.

MS14-031: updates the TCP/IP stack in Windows Vista and addresses a resource exhaustion issue that leads to a Denial of Service situation. Attackers can send specifically created packets with manipulated timestamps that prevent Windows from cleaning up kernel memory.

MS14-032: a new version Lync Server that addresses a cross-site scripting issue.

In other non-Microsoft news, you have probably also seen the release of a new OpenSSL version. The vulnerabilities addressed do not have the same exploitability than last month’s Heartbleed (HB) issue. With HB, attackers could run their code from any machine that had network access to the target; this new set requires the attacker to be a man-in-the-middle (MITM) between the two parties that communicate, and both parties need to be running OpenSSL. This is a pretty specific situation that does not apply to the typical browser-based scenarios. As curious security searchers continue their HB-inspired audits of the code base, you should consider this a first wave of issues and be prepared to react to more disclosures of this type. By the way, all previous versions of OpenSSL are affected (0.9.8, 1.0.0 and 1.0.1).

For Windows XP users: The majority of these vulnerabilities apply to your operating system, including remote code execution against IE (MS14-035), Word (MS14-034) and GDI+ (MS14-036). You should update or replace all XP machines with supported versions urgently.

Stay tuned to this blog for more developments