International SOS and Vismo in joint partnership t... » York, UK: International SOS, the world's leading medical and security services company, and Vismo, a... Tech Mahindra selects Qualys to expand global IT s... » REDWOOD CITY, Calif.: Qualys, Inc. has announced a strategic partnership with Tech Mahindra , a mult... Barracuda launches SignNow Appliance » Barracuda Networks has launched the Barracuda SignNow version 4.0 and the new Barracuda SignNow Appl... Boston Networks design, deliver and maintain Intel... » Regarded as the world’s most prestigious team golf event, Boston Networks delivers a full turnkey so... British Parliament tells Teeside University to sta... » Ground-breaking research at Teesside University which has been described as the “holy grail” of crim... Army Officer wins engineering Modern Day Visionary... » Source: MoD AIRCRAFT Engineering Officer Major Oli Morgan has been named as the 2014 Modern Day V... Electronic I.D. Card project in Nigeria: How not t... » President Goodluck Jonathan recently launched a MasterCard-branded Nigerian National Electronic I.D ... Do you know which smartphone is the most popular s... » Surprisingly, it’s not the iPhone, LG, Huawei or HTC and Windows Phone hardly gets a look in. Even t... Auditors stresses importance of CHD Discovery » PCIQ2PCIQ3 Despite the fact that over 76% of QSAs and ISAs consider card holder data (CHD) discover... BSIA makes case for private security industry » With Conference season upon us, the British Security Industry Association (BSIA), has been busy cham...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Patch Tuesday June 2014

We are halfway through the year this month. Microsoft is publishing seven bulletins this month bringing the half-year total to 36. This is quite a bit below last year’s pace which was 46. We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.

 

The high priority item this month is Microsoft’s Internet Explorer (IE) Bulletin MS14-035. It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed 2 ½ weeks ago by vulnerability broker ZDI. ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer’s World Cup for example) or just links to pages e-mailed to potential victims with short enticing leads.

Given the volume of work that we do through web browsers, apply this update first.

Our second highest priority is not from Microsoft, but from Adobe. Adobe’s Flash player has a critical update and since attacker’s frequently use Adobe Flash as their tool of choice we recommend installing APSB14-16 next. It is rated critical by Adobe for Windows and Mac. Windows XP users will remain exposed as Adobe is not testing and distributing this update for XP anymore. Google Chrome and IE10/11 users get their updates automatically through the browser that includes Flash, which is a good security enhancing feature. I recommend to everybody switching to these browsers for easier and better security.

Next is the Microsoft Word update MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). Microsoft rates it only “important” because user interaction is required - one has to open a Word file - but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files. Who wouldn’t open a document that brings new information about the company’s retirement plan. The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.

The last critical update is MS14-036, which is a new version of the library GDI+. GDI+ parses graphics formats. Graphics parsing requires complex logic and has frequently been associated with attack vectors. It affects Windows, Office and the Lync IM client because they all bring their own copy. There are no known exploits at this time, as opposed to the last update to GDI+ (MS13-096), which addressed a 0-day. You should apply this update as quickly as possible.

The remaining vulnerabilities are:

MS14-033: an update to MSMXL that prevents the disclosure of the username.

MS14-030: updates RDP to prevent a MITM vulnerability that can be used to tamper with the session data.

MS14-031: updates the TCP/IP stack in Windows Vista and addresses a resource exhaustion issue that leads to a Denial of Service situation. Attackers can send specifically created packets with manipulated timestamps that prevent Windows from cleaning up kernel memory.

MS14-032: a new version Lync Server that addresses a cross-site scripting issue.

In other non-Microsoft news, you have probably also seen the release of a new OpenSSL version. The vulnerabilities addressed do not have the same exploitability than last month’s Heartbleed (HB) issue. With HB, attackers could run their code from any machine that had network access to the target; this new set requires the attacker to be a man-in-the-middle (MITM) between the two parties that communicate, and both parties need to be running OpenSSL. This is a pretty specific situation that does not apply to the typical browser-based scenarios. As curious security searchers continue their HB-inspired audits of the code base, you should consider this a first wave of issues and be prepared to react to more disclosures of this type. By the way, all previous versions of OpenSSL are affected (0.9.8, 1.0.0 and 1.0.1).

For Windows XP users: The majority of these vulnerabilities apply to your operating system, including remote code execution against IE (MS14-035), Word (MS14-034) and GDI+ (MS14-036). You should update or replace all XP machines with supported versions urgently.

Stay tuned to this blog for more developments