Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

April 2014 Patch Tuesday

Posted April 8, 2014    BeyondTrust Research Team

April’s Patch Tuesday brings four patches to us, fixing Microsoft Word, Internet Explorer, Windows file handling, and Microsoft Publisher. It also brings us the final patches for Windows XP and Office 2003.

MS14-017 fixes a zero-day vulnerability, CVE-2014-1761, in Microsoft Word that has been exploited in the wild. The vulnerability has to do with handling the value of listoverridecount in an RTF file, when opened in Microsoft Word. Permitted values are 0, 1, or 9, but the vulnerability manifests when a value of 25 is used. Attackers have successfully leveraged this in targeted attacks. Because of the public exploitation, Microsoft has released an advisory and a Fix it solution to address the issue until a patch can be installed. This continues a trend we’ve seen of Office-based exploits being successfully used in targeted attacks over the past few years. Fortunately, if you are running with least-privileges, then this will not affect you as much, as it only allows remote code execution within the context of the current user. Two other vulnerabilities are fixed in this bulletin that also permit remote code execution in the context of the current user. Deploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.

MS14-018 fixes multiple vulnerabilities in Internet Explorer, all caused by memory corruptions. Attackers use these types of vulnerabilities to set up malicious web pages and convince users to view those pages. Once the user points Internet Explorer to the attacker’s page, one of these vulnerabilities will be exploited. This grants the attacker the ability to execute code in the context of the current user of the computer. So if you are running with least privileges, you will be far less affected than if you are running with Administrator privileges. It should be noted that Internet Explorer 10 is not affected, because the update for IE10 is considered a non-security related update. To mitigate these vulnerabilities until the patch is deployed, administrators can block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

MS14-019 addresses a publicly disclosed vulnerability with the Windows file handling component. This vulnerability manifests when Windows fails to properly restrict the path used for processing .BAT and .CMD file types to the local network. This can lead to code execution in the context of the account that opened the .BAT or .CMD file. This vulnerability has been disclosed in the wild, but no public exploitation had occurred at the time of patch release. Because this requires that attackers convince users to run a specially crafted .BAT or .CMD file provided by the attacker, this bulletin is of low priority. Users must first navigate to a malicious network directory and subsequently execute the malicious file, whereas something like an Internet Explorer vulnerability can be exploited by a single click of a link to a malicious web page. Deploy this patch last.

MS14-020 addresses a vulnerability in Microsoft Publisher that can be used to execute arbitrary code in the context of the current user. This only affects Office 2003/2007, so if you’re using one of the latest two versions of Office (2010/2013), then you will remain unaffected. Also, if you are running with least privileges, you will be less affected than users who are running with Administrator privileges. Deploy this patch after MS14-017 and MS14-018.

Be sure to patch Microsoft Word (MS14-017), Internet Explorer (MS14-018), followed by Microsoft Publisher (MS14-020), and lastly Windows file handling (MS14-019). Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, April 9 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Mini!

Are you concerned about an increase in exploits for XP being used in the wild? If you have XP machines still in use, what are you doing to make sure they’re protected?

Most insightful and/or awesome answer wins!

>> VEF News Articles


USB Attacks Need Physical Access Right? Not Any More…

Banks to be hit with Microsoft costs for running outdated ATMs

NSA Piggybacking on Botnets

The Tesla Model S Is Basically A Good Looking IT Department On Wheels

>> VEF Questions & Comments

Noha was curious about, ” …if it is better to migrate to Windows 7 or Windows 8.” Our take is that either is better than Windows XP for a lot of reasons. Primarily, Windows 7 and Windows 8 have built-in security features that XP just doesn’t have, or can’t implement fully. Depending on your user-base and budget, W7 or W8 would be a good move for performance, reliability, and security reasons. That being said, there is a bit of a learning curve for W8 and the new Metro UI, but that is supposedly being addressed in a future update. W8 also has more security features than W7, and is faster in some cases.

Dustin wanted to know, ” Do you feel that AV, firewalls will help mitigate threats (to a decent degree) beyond MS lack of patching?” Nothing replaces solid patching practices. Security is like an onion, and the more layers you have, the more agony and frustration you will inflict on some malicious actor. If an attacker gets into your network, and finds egress filtering, HIDS, endpoint protection, EMET, no third-party software vulnerabilities or first-party vulnerabilities (because you install your updates), VLANing, and more… they’re in for a long engagement during which they might be caught.

Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly

, , ,

Leave a Reply

5 Responses to “April 2014 Patch Tuesday”

  1. Dustin

    I am a bit concerned with XP being EOL and having a few in service. Most are behind a firewall, with good AV installed. However, I don’t put a lot of faith in this. For us, we are using Powershell to identify all XP machines and getting them updated to Windows 7 as soon as possible.

    For those that are old and the machines need replaced, I replace the machine and wipe the HDD… Then use them as targets at the shooting range to finish them off. They are small drives with little value, wiped using DBAN, and then destroyed and trashed (I feel better that way rather than just tossing them or giving them away).

    April 09, 2014 1:22:26, Reply
  2. Wayne

    XP systems are still needed in some cases where the application is not yet ready for Win7 clients or upgrading the application is going to take time and money, and therefore extend beyond the support life of the OS. We are actively moving such systems into isolation and limiting there connection ability to only what is essential. We are using what capabilities are already present such as router ACL’s and VACL’s in switches to restrict connections to essential services. Internet firewalls are configured to block all internet access for these systems. Antivirus updates will be monitored to make sure signatures are still being deployed. If we find that is not the case, different AV software will be loaded. IDS/IPS systems have been tuned to be especially aware of these assests. A separate virutual environment is being developed to contain such systems and those that can be moved there will be. This containment area will also be used for Server 2003 systems that cannot be replaced before the end of their support as well. A UTM firewall appliance will be used to control and entry point. No MS file services will be allowed to traverse in and out, and other methods will be used to move files if such is needed. Some system will not have any allowed connections as they will only be kept alive for archive purposes and decommissioned once the retention period is over. Most these will only need a relatively short time in isolation before being replaced or shutdown. There is one case were we may have to keep the system available for several more years. We feel that with proper upkeep and monitoring this will be adequate and present an acceptable risk.

    April 09, 2014 1:49:28, Reply
  3. Michael

    As a vendor in the financial market we’re concerned with XP going away. Not so much internally where we’ve been on windows 7 for a while, but more so for our clients who many of whom seem to have xp machines that still access our website. On the plus side our developers are excited to stop supporting ie 6-8…

    We do actually have 1 pc that is still running xp. It is used for testing typing and reading skills with some software that doesn’t work on windows 7. HR is looking for something “newer” but until then we took steps a while ago to completely isolate the machine. NIC ports disabled, front USB ports disabled, boot from anything but hdd1 disabled, bios password set etc.

    April 09, 2014 2:00:39, Reply
  4. Eddie

    *Are you concerned about an increase in exploits for XP being used in the wild?

    Yes, more particularly on ATM machines that we, as consumers would not know if they are running XP. This would make a great business case to move those systems off to a supported OS, and/or some sort of notification to consumers may need to be mandatory such as under PCI to state the potential vulnerability of using such system. This as with any other notification will raise the awareness of hacktivists amongst other opportunistic individuals looking, for an easy way in which would lead to another great question, how should Vulnerabilities be communicated?

    **If you have XP machines still in use, what are you doing to make sure they’re protected?

    The only way we could effectively “make sure” they are protected is through, PowerBroker leveraged with Retina CS, as other products have gaps that would otherwise create more cost instead of lowering security risk factors. This raises another question, how is any other system protected? We would always have to assume compromise, so if XP is clearly going to be exploited, what actions could we take to mitigate vs trying to protect something that cannot be shelled other than turning the power off and unplugging it from network and any power source? I would endeavor to see how PowerBroker can be leveraged to address such mitigations given the certainty of attack vector being exploited. Retina can be leveraged by scheduled scans and actively monitoring those XP systems, but run the risk analysis for during the “non scanned times”. Addressing potential entry points such as usb, email, wireless, physical, etc…. and monitoring those with proper alerting would ease the burden on the administrators and potentially reduce the risk. To achieve this, using a tool that can “wrap itself” around the box would be ideal like Retina CS.

    April 11, 2014 4:24:51, Reply
  5. Rick

    Simply put, and to answer both questions, “With the death of XP, now is the time to switch to Linux”. No worries and certainly more secure. Ubuntu anyone?

    April 11, 2014 7:05:38, Reply

Additional articles


Answering the age-old question, ‘What’s plugged into my network?’

Posted October 9, 2015    Alejandro DaCosta

“What’s plugged into my network?” is a question I hear frequently from security administrators. And, really, it’s no surprise why. No longer do we have to account just for the physical servers in our datacenters, workstations and a few network devices. Now we need to keep track of roaming laptops, dynamic virtual systems, off-site cloud deployments and BYOD.


Closing the Vulnerability Gap

Posted October 7, 2015    Brian Chappell

Managing vulnerabilities is a significant challenge for many organizations. The main difficulties with managing this manifest in two key areas. The first is that the list isn’t static. The second is priority.


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.