Becrypt signs new SME partnership with Atos UK » London, UK:  Becrypt has entered into a partnership with Atos UK as part of the Atos SME Harbour pro... itSoft extends its security-as-a-service offerin... » Clavister has announced that itSoft, a leading ISP and cloud managed services provider in Croatia, h... AppRiver quarantines 200 million malicious emails ... » Gulf Breeze, FL and London, UK: AppRiver, LLC has released its Q1 Global Security Report, a detailed... DDoS attacks pose biggest threat yet to European... » LONDON, UK: Neustar, Inc has announced findings from its third annual DDoS Attacks & Impact Report. ... SearchYourCloud announces enhanced search and se... » SearchYourCloud: has announced a relationship with Pivotal, the software company at the intersection... EnterpriseDB’s new Postgres Cloud Database expan... » Bedford, MA:  EnterpriseDB (EDB) has announced expanded data encryption for its Postgres Plus Cloud ... Cubic to exhibit Next-Generation Virtual Training ... » SAN DIEGO, Calif.: Cubic Global Defense will demonstrate a range of innovative technologies and solu... Adapt and Alert Logic partner to bring SaaS soluti... » Adapt and Alert Logic have joined forces to bring Adapt customers a suite of advanced managed securi... Cryptzone is a 2015 top company to watch in the Cy... » Boston, MA: With cybercrime on the rise and costing organizations billions of dollars annually, it’s... Dimension Data launches new assessment to help org... » Fleet, Hants, UK:  Dimension Data has announced a new assessment offering that helps organisations a...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Patch Tuesday June 2014

We are halfway through the year this month. Microsoft is publishing seven bulletins this month bringing the half-year total to 36. This is quite a bit below last year’s pace which was 46. We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.

 

The high priority item this month is Microsoft’s Internet Explorer (IE) Bulletin MS14-035. It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed 2 ½ weeks ago by vulnerability broker ZDI. ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer’s World Cup for example) or just links to pages e-mailed to potential victims with short enticing leads.

Given the volume of work that we do through web browsers, apply this update first.

Our second highest priority is not from Microsoft, but from Adobe. Adobe’s Flash player has a critical update and since attacker’s frequently use Adobe Flash as their tool of choice we recommend installing APSB14-16 next. It is rated critical by Adobe for Windows and Mac. Windows XP users will remain exposed as Adobe is not testing and distributing this update for XP anymore. Google Chrome and IE10/11 users get their updates automatically through the browser that includes Flash, which is a good security enhancing feature. I recommend to everybody switching to these browsers for easier and better security.

Next is the Microsoft Word update MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). Microsoft rates it only “important” because user interaction is required - one has to open a Word file - but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files. Who wouldn’t open a document that brings new information about the company’s retirement plan. The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.

The last critical update is MS14-036, which is a new version of the library GDI+. GDI+ parses graphics formats. Graphics parsing requires complex logic and has frequently been associated with attack vectors. It affects Windows, Office and the Lync IM client because they all bring their own copy. There are no known exploits at this time, as opposed to the last update to GDI+ (MS13-096), which addressed a 0-day. You should apply this update as quickly as possible.

The remaining vulnerabilities are:

MS14-033: an update to MSMXL that prevents the disclosure of the username.

MS14-030: updates RDP to prevent a MITM vulnerability that can be used to tamper with the session data.

MS14-031: updates the TCP/IP stack in Windows Vista and addresses a resource exhaustion issue that leads to a Denial of Service situation. Attackers can send specifically created packets with manipulated timestamps that prevent Windows from cleaning up kernel memory.

MS14-032: a new version Lync Server that addresses a cross-site scripting issue.

In other non-Microsoft news, you have probably also seen the release of a new OpenSSL version. The vulnerabilities addressed do not have the same exploitability than last month’s Heartbleed (HB) issue. With HB, attackers could run their code from any machine that had network access to the target; this new set requires the attacker to be a man-in-the-middle (MITM) between the two parties that communicate, and both parties need to be running OpenSSL. This is a pretty specific situation that does not apply to the typical browser-based scenarios. As curious security searchers continue their HB-inspired audits of the code base, you should consider this a first wave of issues and be prepared to react to more disclosures of this type. By the way, all previous versions of OpenSSL are affected (0.9.8, 1.0.0 and 1.0.1).

For Windows XP users: The majority of these vulnerabilities apply to your operating system, including remote code execution against IE (MS14-035), Word (MS14-034) and GDI+ (MS14-036). You should update or replace all XP machines with supported versions urgently.

Stay tuned to this blog for more developments