Craig Young, security researcher writes:
“This is a huge month for Internet Explorer updates with a total of 59 CVEs being resolved. Amongst these MS has released a fix for an IE 8 bug which was reported through HP’s Zero Day Initiative back in October 2013. Although no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code.
In another blast from the past, Microsoft has updated the TCP stack to account for a resource exhaustion attack somewhat reminiscent of the Sockstress. This vulnerability allows attackers to establish TCP connections with maliciously crafted window sizes leading to service unavailability. This is a particularly serious vulnerability because it can be exploited by a remote attacker with the goal of taking down a specific service or potentially taking a server completely offline.
An embedded font issue affecting certain Office products is also interesting because this is one of the few issues of these types which affect the newer, open XML format rather than being limited to the legacy binary format. In the past Microsoft has advised users to disable the binary format as a mitigation for attacks against this format. Unfortunately in this case disabling the binary format does not prevent exploitation.”
Tyler Reguly, manager of security research says:
“There are a few interesting things about this Patch Tuesday. The first of which is the massive Internet Explorer update. However, it's been two months since our last cumulative update and we're likely seeing last months IE update and this month's IE update released together. If you remember, last month we saw a non-cumulative update that felt almost like it was intended to be an Out of Band update.
This month we're seeing a patch for Remote Desktop. A flaw in RDP could allow attackers in position to perform a man-in-the-middle to modify RDP content. This is the first server-side Remote Desktop vulnerability released since 2012 and the first one ever released for Windows 8 and it was discovered and reported by Tripwire. While it's not the most critical vulnerability fixed this month, it's nice to see your research lead to patches that are delivered to customers.
With Lync, Lync Server, and Remote Desktop in the mix this month, it feels like enterprises are going to have a busier time than home users. Additionally, this month's TCP vulnerability (MS14-031) is mitigated for most consumers because of the use of home routers.
MS14-034, which affects only Office 2007, is a reminder that Microsoft's Security Development Lifecycle really does work. It would be nice to see them shorten their support Windows, forcing consumers and enterprises to upgrade more frequently. This would remove older, more vulnerable software from the picture.”