BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2014 Patch Tuesday

Posted July 8, 2014    BeyondTrust Research Team

This July Microsoft has released six security bulletins which account for over 29 unique vulnerabilities. The most critical bulletins are MS14-037 (Internet Explorer), MS14-038 (Windows Journal)  and MS14-040 (Windows AFD).

MS14-037 starts things off with another massive Internet Explorer update on the heels of MS14-035 from last month. This new Internet Explorer bulletin covers over 24 different vulnerabilities including 1 publicly disclosed vulnerability. The publicly disclosed vulnerability is within the handling of Extended Validation Certificates or EV Certificates. Internet Explorer was not properly enforcing Extended Validation best practices by disallowing the use of wildcard certificates. While this vulnerability itself is bad there are another 23 vulnerabilities that can result in a variety of remote code execution. It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday. All versions of Internet Explorer from 6 to 11 are affected.

MS14-038 brings forth yet another vulnerability within Windows Journal. This component has had vulnerabilities in the past and hopefully has already been disabled by most organizations where possible. Furthermore since the attack takes place in a corrupted .jnt Windows Journal file it is highly recommended to treat this file extension as you do executable extensions and block it at your web and email gateways. All versions of Windows are affected except 2003, 2008 and 2008 R2 for Itanium and Server Core installations.

MS14-039 is more of an interesting vulnerability than something as critical as the previous two bulletins. The vulnerability here has to do with manipulating the On-Screen Keyboard in Windows in a way that can allow for elevation of privilege from a low integrity process to executing code as with standard permissions of the logged on user. Every supported version of Windows looks to be affected with the exception for Server 2003.

MS14-040 is a privilege escalation within the Windows AFD driver also known as the Ancillary Function Driver that helps support Windows sockets and networking communication. This is a more classic privilege escalation than MS14-040 in that the successful exploitation of this vulnerability would allow an attacker to go from any locally logged on user to running code in kernel mode. This vulnerability is of course a worry given it can be paired with something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel. As a point of trivia the original developer of the AFD explained at this year’s Microsoft BUILD conference that he had a different name for AFD originally. We have ROT13’d that name so as to keep the secret uber secure and bypass your corporate content filters: Nabgure Shpxvat Qevire

MS14-41 brings back more security love, or lack thereof, for DirectShow. This vulnerability is unique in that it is mostly only useful when combined with another security vulnerability. In this case the vulnerability allows for an attacker to jump privileges from Low Integrity into executing code in the normal context of the logged on user. This might be helpful for example with certain browser vulnerabilities where code execution happens as Low Integrity and then combined with this to execute with the full privileges of the logged on user.

MS14-042 closes this month’s Patch Tuesday out with an interesting vulnerability within Microsoft’s Service Bus technology. Service Bus is essentially a distributed message technology typically used by enterprise applications but also in this case leveraged by cloud applications. The vulnerability itself is not code execution but rather a denial of service when an attacker sends specially crafted Advanced Message Queuing Protocol (AMQP) messages to a vulnerable system. Windows OS’s do not come with Service Bus technology installed by default but it will be prudent to audit your environment for such technology and especially not to forget about any cloud based applications where you might be leveraging Service Bus.

Tags:
, ,

Leave a Reply

2 Responses to “July 2014 Patch Tuesday”

  1. "Eric"

    was there a VEF this month?

    July 10, 2014 7:06:24, Reply

Additional articles

ovum-research

New Analyst SWOT Assessment Identifies Key Strengths of PowerBroker

Posted November 24, 2014    Scott Lang

Following on the heels of the Gartner PAM market guide and Frost & Sullivan review of Password Safe comes a new analyst review of our BeyondInsight and PowerBroker platforms, a SWOT assessment of BeyondTrust written by Ovum. Ovum’s honest and thorough review of BeyondTrust indicates that we are delivering, “…an integrated, one-stop approach to PAM….

Tags:
, , ,

Patented Windows privilege management brings you unmatched benefits

Posted November 24, 2014    Scott Lang

We are pleased to announce that BeyondTrust has been granted a new U.S. Patent (No. 8,850,549) for privilege management, validating our approach to helping our customers achieve least privilege in Windows environments. The methods and systems that we employ for controlling access to resources and privileges per process are unique to BeyondTrust PowerBroker for Windows….

Tags:
6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,