BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2014 Patch Tuesday

Posted July 8, 2014    BeyondTrust Research Team

This July Microsoft has released six security bulletins which account for over 29 unique vulnerabilities. The most critical bulletins are MS14-037 (Internet Explorer), MS14-038 (Windows Journal)  and MS14-040 (Windows AFD).

MS14-037 starts things off with another massive Internet Explorer update on the heels of MS14-035 from last month. This new Internet Explorer bulletin covers over 24 different vulnerabilities including 1 publicly disclosed vulnerability. The publicly disclosed vulnerability is within the handling of Extended Validation Certificates or EV Certificates. Internet Explorer was not properly enforcing Extended Validation best practices by disallowing the use of wildcard certificates. While this vulnerability itself is bad there are another 23 vulnerabilities that can result in a variety of remote code execution. It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday. All versions of Internet Explorer from 6 to 11 are affected.

MS14-038 brings forth yet another vulnerability within Windows Journal. This component has had vulnerabilities in the past and hopefully has already been disabled by most organizations where possible. Furthermore since the attack takes place in a corrupted .jnt Windows Journal file it is highly recommended to treat this file extension as you do executable extensions and block it at your web and email gateways. All versions of Windows are affected except 2003, 2008 and 2008 R2 for Itanium and Server Core installations.

MS14-039 is more of an interesting vulnerability than something as critical as the previous two bulletins. The vulnerability here has to do with manipulating the On-Screen Keyboard in Windows in a way that can allow for elevation of privilege from a low integrity process to executing code as with standard permissions of the logged on user. Every supported version of Windows looks to be affected with the exception for Server 2003.

MS14-040 is a privilege escalation within the Windows AFD driver also known as the Ancillary Function Driver that helps support Windows sockets and networking communication. This is a more classic privilege escalation than MS14-040 in that the successful exploitation of this vulnerability would allow an attacker to go from any locally logged on user to running code in kernel mode. This vulnerability is of course a worry given it can be paired with something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel. As a point of trivia the original developer of the AFD explained at this year’s Microsoft BUILD conference that he had a different name for AFD originally. We have ROT13’d that name so as to keep the secret uber secure and bypass your corporate content filters: Nabgure Shpxvat Qevire

MS14-41 brings back more security love, or lack thereof, for DirectShow. This vulnerability is unique in that it is mostly only useful when combined with another security vulnerability. In this case the vulnerability allows for an attacker to jump privileges from Low Integrity into executing code in the normal context of the logged on user. This might be helpful for example with certain browser vulnerabilities where code execution happens as Low Integrity and then combined with this to execute with the full privileges of the logged on user.

MS14-042 closes this month’s Patch Tuesday out with an interesting vulnerability within Microsoft’s Service Bus technology. Service Bus is essentially a distributed message technology typically used by enterprise applications but also in this case leveraged by cloud applications. The vulnerability itself is not code execution but rather a denial of service when an attacker sends specially crafted Advanced Message Queuing Protocol (AMQP) messages to a vulnerable system. Windows OS’s do not come with Service Bus technology installed by default but it will be prudent to audit your environment for such technology and especially not to forget about any cloud based applications where you might be leveraging Service Bus.

Tags:
, ,

Leave a Reply

2 Responses to “July 2014 Patch Tuesday”

  1. "Eric"

    was there a VEF this month?

    July 10, 2014 7:06:24, Reply

Additional articles

webinar 2

On Demand Webinar: Because Auditing Stinks Sometimes

Posted July 2, 2015    Lindsay Marsh

Auditing stinks. Well, mostly stinks. In this on demand webinar, lead by Group Policy MVP Jeremy Moskowitz, you’ll learn the three key tenets to real Group Policy auditing. Tenet 1: Why do you care about Group Policy auditing? Tenet 2: How does Eventing help you know “Who did what?” Tenet 3: How does Reporting tell…

Tags:
, , , ,
skeletonkey3_713678_713680

Stopping the Skeleton Key Trojan

Posted June 29, 2015    Robert Auch

Earlier this year Dell’s SecureWorks published an analysis of a malware they named “Skeleton Key”. This malware bypasses authentication for Active Directory users who have single-factor (password only) authentication. The “Skeleton Key” attack as documented by the SecureWorks CTU relies on several critical parts.

Tags:
, , , , ,
webinar 2

On Demand Webinar: 10 Steps to Building an Effective Vulnerability Management Program

Posted June 26, 2015    BeyondTrust Software

In this on demand webinar, Cybersecurity Expert, Derek A.Smith will take you through his 10 steps for a successful vulnerability management program and how to get started now.

Tags:
, ,