Patch Tuesday Overview for May 2014

This month, Microsoft released several updates that are very critical for system administrators. The biggest ‘gotcha’ for people will be the Internet Explorer updates, as this month we’re seeing a non-cumulative update release, which are even rarer than out-of-band patch releases.
S topping this list, as usual is Internet Explorer, which has seen at least two zero-day attacks in the wild in the last month. The patch released for MS14-029 includes the out-of-band fix from earlier this month (CVE-2014-1776) as well as a fix for CVE-2014-1815, which is currently under active attack.
“It is important to note however that this is not a cumulative IE update and that users will have to install the last cumulative IE update, MS14-018, before applying MS14-029 updates” said Craig Young, security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT).
Tyler Reguly, manager of security research for VERT, said he was expecting to see a vulnerability that Tripwire reported to Microsoft included in the Patch Tuesday releases this month, but it wasn’t included.
“At this point, we’re expecting to see the update next month, but this is the second time we expected the update to be released and we were surprised it wasn’t in the patch drop,” Reguly said. “When it’s released, we’ll offer additional details on the Tripwire State of Security blog.”
Next up, Microsoft took another step this month to limit exposure from unknown vulnerabilities associated with MS14-024 by releasing an update to MSCOMCTL, which enables ASLR.
“By doing this, Microsoft aims to break exploits which use MSCOMCTL as a resource for building exploit payloads” Young said.
Then there is MS14-025, another vulnerability that attackers have been using in real-world operations. In this scenario, a flaw in Group Policy Preferences allows attackers to potentially retrieve obfuscated domain account credentials which have been stored for running privileged processes.
“This cuts off a popular post-exploitation technique used after compromising a domain-joined workstation which can query group policy preferences. The fix from Microsoft disabled the related feature but affected Administrators will still need to remove previously stored passwords as outlined in Microsoft’s SRD blog post,” Young explained.
In addition to MS14-024 and MS14-025, Microsoft has also released MS14-027 which blocks off another attack being exploited in the wild to gain persistent elevated access to a system.
“In this attack, malware with limited registry access could leverage normal system processes to run its own code with elevated permissions” Young said.
Then there is MS14-022, which depending on your SharePoint usage, may be as important or even more important than the IE updates. In this scenario, an attacker with upload permissions on SharePoint can upload a maliciously crafted data blob that can lead to code execution.
“In the case of SharePoint servers configured to allow anonymous uploaders, this should be considered an unauthenticated, remote code execution vulnerability. However, locked down SharePoint servers are not in the clear because they are still exposed to insider threats in which a valid authorized user attacks the server,” Young said.
For home users of Microsoft Office products, MS14-023 should be very interesting. “My family just migrated to Microsoft OneDrive and Office365 Home for all of our computing needs, and this vulnerability affects the passing of tokens in the OneDrive product,” said Reguly.
“This means I’ll need to be hyper-vigilant in monitoring my families usage of these services until I can get the updates deployed across all of our computers.”