BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2014 Patch Tuesday

Posted July 8, 2014    BeyondTrust Research Team

This July Microsoft has released six security bulletins which account for over 29 unique vulnerabilities. The most critical bulletins are MS14-037 (Internet Explorer), MS14-038 (Windows Journal)  and MS14-040 (Windows AFD).

MS14-037 starts things off with another massive Internet Explorer update on the heels of MS14-035 from last month. This new Internet Explorer bulletin covers over 24 different vulnerabilities including 1 publicly disclosed vulnerability. The publicly disclosed vulnerability is within the handling of Extended Validation Certificates or EV Certificates. Internet Explorer was not properly enforcing Extended Validation best practices by disallowing the use of wildcard certificates. While this vulnerability itself is bad there are another 23 vulnerabilities that can result in a variety of remote code execution. It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday. All versions of Internet Explorer from 6 to 11 are affected.

MS14-038 brings forth yet another vulnerability within Windows Journal. This component has had vulnerabilities in the past and hopefully has already been disabled by most organizations where possible. Furthermore since the attack takes place in a corrupted .jnt Windows Journal file it is highly recommended to treat this file extension as you do executable extensions and block it at your web and email gateways. All versions of Windows are affected except 2003, 2008 and 2008 R2 for Itanium and Server Core installations.

MS14-039 is more of an interesting vulnerability than something as critical as the previous two bulletins. The vulnerability here has to do with manipulating the On-Screen Keyboard in Windows in a way that can allow for elevation of privilege from a low integrity process to executing code as with standard permissions of the logged on user. Every supported version of Windows looks to be affected with the exception for Server 2003.

MS14-040 is a privilege escalation within the Windows AFD driver also known as the Ancillary Function Driver that helps support Windows sockets and networking communication. This is a more classic privilege escalation than MS14-040 in that the successful exploitation of this vulnerability would allow an attacker to go from any locally logged on user to running code in kernel mode. This vulnerability is of course a worry given it can be paired with something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel. As a point of trivia the original developer of the AFD explained at this year’s Microsoft BUILD conference that he had a different name for AFD originally. We have ROT13’d that name so as to keep the secret uber secure and bypass your corporate content filters: Nabgure Shpxvat Qevire

MS14-41 brings back more security love, or lack thereof, for DirectShow. This vulnerability is unique in that it is mostly only useful when combined with another security vulnerability. In this case the vulnerability allows for an attacker to jump privileges from Low Integrity into executing code in the normal context of the logged on user. This might be helpful for example with certain browser vulnerabilities where code execution happens as Low Integrity and then combined with this to execute with the full privileges of the logged on user.

MS14-042 closes this month’s Patch Tuesday out with an interesting vulnerability within Microsoft’s Service Bus technology. Service Bus is essentially a distributed message technology typically used by enterprise applications but also in this case leveraged by cloud applications. The vulnerability itself is not code execution but rather a denial of service when an attacker sends specially crafted Advanced Message Queuing Protocol (AMQP) messages to a vulnerable system. Windows OS’s do not come with Service Bus technology installed by default but it will be prudent to audit your environment for such technology and especially not to forget about any cloud based applications where you might be leveraging Service Bus.

Tags:
, ,

Leave a Reply

2 Responses to “July 2014 Patch Tuesday”

  1. "Eric"

    was there a VEF this month?

    July 10, 2014 7:06:24, Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,