BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2014 Patch Tuesday

Posted July 8, 2014    BeyondTrust Research Team

This July Microsoft has released six security bulletins which account for over 29 unique vulnerabilities. The most critical bulletins are MS14-037 (Internet Explorer), MS14-038 (Windows Journal)  and MS14-040 (Windows AFD).

MS14-037 starts things off with another massive Internet Explorer update on the heels of MS14-035 from last month. This new Internet Explorer bulletin covers over 24 different vulnerabilities including 1 publicly disclosed vulnerability. The publicly disclosed vulnerability is within the handling of Extended Validation Certificates or EV Certificates. Internet Explorer was not properly enforcing Extended Validation best practices by disallowing the use of wildcard certificates. While this vulnerability itself is bad there are another 23 vulnerabilities that can result in a variety of remote code execution. It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday. All versions of Internet Explorer from 6 to 11 are affected.

MS14-038 brings forth yet another vulnerability within Windows Journal. This component has had vulnerabilities in the past and hopefully has already been disabled by most organizations where possible. Furthermore since the attack takes place in a corrupted .jnt Windows Journal file it is highly recommended to treat this file extension as you do executable extensions and block it at your web and email gateways. All versions of Windows are affected except 2003, 2008 and 2008 R2 for Itanium and Server Core installations.

MS14-039 is more of an interesting vulnerability than something as critical as the previous two bulletins. The vulnerability here has to do with manipulating the On-Screen Keyboard in Windows in a way that can allow for elevation of privilege from a low integrity process to executing code as with standard permissions of the logged on user. Every supported version of Windows looks to be affected with the exception for Server 2003.

MS14-040 is a privilege escalation within the Windows AFD driver also known as the Ancillary Function Driver that helps support Windows sockets and networking communication. This is a more classic privilege escalation than MS14-040 in that the successful exploitation of this vulnerability would allow an attacker to go from any locally logged on user to running code in kernel mode. This vulnerability is of course a worry given it can be paired with something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel. As a point of trivia the original developer of the AFD explained at this year’s Microsoft BUILD conference that he had a different name for AFD originally. We have ROT13’d that name so as to keep the secret uber secure and bypass your corporate content filters: Nabgure Shpxvat Qevire

MS14-41 brings back more security love, or lack thereof, for DirectShow. This vulnerability is unique in that it is mostly only useful when combined with another security vulnerability. In this case the vulnerability allows for an attacker to jump privileges from Low Integrity into executing code in the normal context of the logged on user. This might be helpful for example with certain browser vulnerabilities where code execution happens as Low Integrity and then combined with this to execute with the full privileges of the logged on user.

MS14-042 closes this month’s Patch Tuesday out with an interesting vulnerability within Microsoft’s Service Bus technology. Service Bus is essentially a distributed message technology typically used by enterprise applications but also in this case leveraged by cloud applications. The vulnerability itself is not code execution but rather a denial of service when an attacker sends specially crafted Advanced Message Queuing Protocol (AMQP) messages to a vulnerable system. Windows OS’s do not come with Service Bus technology installed by default but it will be prudent to audit your environment for such technology and especially not to forget about any cloud based applications where you might be leveraging Service Bus.

Tags:
, ,

Leave a Reply

2 Responses to “July 2014 Patch Tuesday”

  1. "Eric"

    was there a VEF this month?

    July 10, 2014 7:06:24, Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,