April’s Patch Tuesday brings four patches to us, fixing Microsoft Word, Internet Explorer, Windows file handling, and Microsoft Publisher. It also brings us the final patches for Windows XP and Office 2003.
MS14-017 fixes a zero-day vulnerability, CVE-2014-1761, in Microsoft Word that has been exploited in the wild. The vulnerability has to do with handling the value of listoverridecount in an RTF file, when opened in Microsoft Word. Permitted values are 0, 1, or 9, but the vulnerability manifests when a value of 25 is used. Attackers have successfully leveraged this in targeted attacks. Because of the public exploitation, Microsoft has released an advisory and a Fix it solution to address the issue until a patch can be installed. This continues a trend we’ve seen of Office-based exploits being successfully used in targeted attacks over the past few years. Fortunately, if you are running with least-privileges, then this will not affect you as much, as it only allows remote code execution within the context of the current user. Two other vulnerabilities are fixed in this bulletin that also permit remote code execution in the context of the current user. Deploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.
MS14-018 fixes multiple vulnerabilities in Internet Explorer, all caused by memory corruptions. Attackers use these types of vulnerabilities to set up malicious web pages and convince users to view those pages. Once the user points Internet Explorer to the attacker’s page, one of these vulnerabilities will be exploited. This grants the attacker the ability to execute code in the context of the current user of the computer. So if you are running with least privileges, you will be far less affected than if you are running with Administrator privileges. It should be noted that Internet Explorer 10 is not affected, because the update for IE10 is considered a non-security related update. To mitigate these vulnerabilities until the patch is deployed, administrators can block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.
MS14-019 addresses a publicly disclosed vulnerability with the Windows file handling component. This vulnerability manifests when Windows fails to properly restrict the path used for processing .BAT and .CMD file types to the local network. This can lead to code execution in the context of the account that opened the .BAT or .CMD file. This vulnerability has been disclosed in the wild, but no public exploitation had occurred at the time of patch release. Because this requires that attackers convince users to run a specially crafted .BAT or .CMD file provided by the attacker, this bulletin is of low priority. Users must first navigate to a malicious network directory and subsequently execute the malicious file, whereas something like an Internet Explorer vulnerability can be exploited by a single click of a link to a malicious web page. Deploy this patch last.
MS14-020 addresses a vulnerability in Microsoft Publisher that can be used to execute arbitrary code in the context of the current user. This only affects Office 2003/2007, so if you’re using one of the latest two versions of Office (2010/2013), then you will remain unaffected. Also, if you are running with least privileges, you will be less affected than users who are running with Administrator privileges. Deploy this patch after MS14-017 and MS14-018.
Be sure to patch Microsoft Word (MS14-017), Internet Explorer (MS14-018), followed by Microsoft Publisher (MS14-020), and lastly Windows file handling (MS14-019). Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, April 9 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.
>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Mini!
Are you concerned about an increase in exploits for XP being used in the wild? If you have XP machines still in use, what are you doing to make sure they’re protected?
Most insightful and/or awesome answer wins!
>> VEF News Articles
>> VEF Questions & Comments
Noha was curious about, ” …if it is better to migrate to Windows 7 or Windows 8.” Our take is that either is better than Windows XP for a lot of reasons. Primarily, Windows 7 and Windows 8 have built-in security features that XP just doesn’t have, or can’t implement fully. Depending on your user-base and budget, W7 or W8 would be a good move for performance, reliability, and security reasons. That being said, there is a bit of a learning curve for W8 and the new Metro UI, but that is supposedly being addressed in a future update. W8 also has more security features than W7, and is faster in some cases.
Dustin wanted to know, ” Do you feel that AV, firewalls will help mitigate threats (to a decent degree) beyond MS lack of patching?” Nothing replaces solid patching practices. Security is like an onion, and the more layers you have, the more agony and frustration you will inflict on some malicious actor. If an attacker gets into your network, and finds egress filtering, HIDS, endpoint protection, EMET, no third-party software vulnerabilities or first-party vulnerabilities (because you install your updates), VLANing, and more… they’re in for a long engagement during which they might be caught.
Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.