BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2014 Patch Tuesday

Posted July 8, 2014    BeyondTrust Research Team

This July Microsoft has released six security bulletins which account for over 29 unique vulnerabilities. The most critical bulletins are MS14-037 (Internet Explorer), MS14-038 (Windows Journal)  and MS14-040 (Windows AFD).

MS14-037 starts things off with another massive Internet Explorer update on the heels of MS14-035 from last month. This new Internet Explorer bulletin covers over 24 different vulnerabilities including 1 publicly disclosed vulnerability. The publicly disclosed vulnerability is within the handling of Extended Validation Certificates or EV Certificates. Internet Explorer was not properly enforcing Extended Validation best practices by disallowing the use of wildcard certificates. While this vulnerability itself is bad there are another 23 vulnerabilities that can result in a variety of remote code execution. It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday. All versions of Internet Explorer from 6 to 11 are affected.

MS14-038 brings forth yet another vulnerability within Windows Journal. This component has had vulnerabilities in the past and hopefully has already been disabled by most organizations where possible. Furthermore since the attack takes place in a corrupted .jnt Windows Journal file it is highly recommended to treat this file extension as you do executable extensions and block it at your web and email gateways. All versions of Windows are affected except 2003, 2008 and 2008 R2 for Itanium and Server Core installations.

MS14-039 is more of an interesting vulnerability than something as critical as the previous two bulletins. The vulnerability here has to do with manipulating the On-Screen Keyboard in Windows in a way that can allow for elevation of privilege from a low integrity process to executing code as with standard permissions of the logged on user. Every supported version of Windows looks to be affected with the exception for Server 2003.

MS14-040 is a privilege escalation within the Windows AFD driver also known as the Ancillary Function Driver that helps support Windows sockets and networking communication. This is a more classic privilege escalation than MS14-040 in that the successful exploitation of this vulnerability would allow an attacker to go from any locally logged on user to running code in kernel mode. This vulnerability is of course a worry given it can be paired with something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel. As a point of trivia the original developer of the AFD explained at this year’s Microsoft BUILD conference that he had a different name for AFD originally. We have ROT13’d that name so as to keep the secret uber secure and bypass your corporate content filters: Nabgure Shpxvat Qevire

MS14-41 brings back more security love, or lack thereof, for DirectShow. This vulnerability is unique in that it is mostly only useful when combined with another security vulnerability. In this case the vulnerability allows for an attacker to jump privileges from Low Integrity into executing code in the normal context of the logged on user. This might be helpful for example with certain browser vulnerabilities where code execution happens as Low Integrity and then combined with this to execute with the full privileges of the logged on user.

MS14-042 closes this month’s Patch Tuesday out with an interesting vulnerability within Microsoft’s Service Bus technology. Service Bus is essentially a distributed message technology typically used by enterprise applications but also in this case leveraged by cloud applications. The vulnerability itself is not code execution but rather a denial of service when an attacker sends specially crafted Advanced Message Queuing Protocol (AMQP) messages to a vulnerable system. Windows OS’s do not come with Service Bus technology installed by default but it will be prudent to audit your environment for such technology and especially not to forget about any cloud based applications where you might be leveraging Service Bus.

Tags:
, ,

Leave a Reply

2 Responses to “July 2014 Patch Tuesday”

  1. "Eric"

    was there a VEF this month?

    July 10, 2014 7:06:24, Reply

Additional articles

red-thumbprint

Why big data breaches won’t always be so easy

Posted September 19, 2014    Byron Acohido

This blog post is republished with the permission of ThirdCertainty. See the original post here. – By: Byron Acohido, Editor-In-Chief, ThirdCertainty Some day, perhaps fairly soon, it will be much more difficult for data thieves to pull off capers like the headline-grabbing hacks of Home Depot and Target. That’s not a pipe dream. It’s the projected outcome…

Tags:
, , , , ,
pbps-blog2

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

Tags:
, , , , , ,
pbps-customer-campaign-image

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

Tags:
, , ,