Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

June 2014 Patch Tuesday

Posted June 10, 2014    BeyondTrust Research Team

This June we are greeted with 7 different Microsoft Security bulletins for Patch Tuesday.

MS14-030 covers a vulnerability within Remote Desktop that could allow for tampering with RDP session data. The sky is not falling here though as in order for an attacker to perform this tampering they need to already be on the same network segment as their target. If you are running Windows 2003, 2008, 2008 R2, Vista or RT you can safely ignore this vulnerability. It should also be noted that Microsoft reminds people to enable Network Level Authentication (NLA) which can help mitigate this attack. This is a great example of a good Microsoft GPO setting that you should already have in place in your organization. You can read more on how to enable this GPO option here.

MS14-031 is a vulnerability within Windows handling of the TCP Protocol which can allow for a Denial of Service at the operating system level. The good news here though is that Microsoft suggests that exploit code is unlikely. This could be because a number of hoops and nuances that are required to properly craft the correct sequence of packets to bring a system down. Here also it seems Windows Server 2003 dodges a bullet as it is not affected by this vulnerability.

MS14-032 continues a trend of vulnerabilities related to Microsoft’s Lync Server. The vulnerability itself is actually an information disclosure bug where by a user has to be tricked into joining a Lync meeting by clicking on a specially crafted URL. This could allow scripts to execute in a user’s browser to gather extra information possibly used in combination with future attacks. Overall though this vulnerability is not critical and especially not for those not even running Lync Server!

MS14-033 fixes new vulnerabilities in Microsoft XML Core Service. MSXML has had a variety of vulnerabilities over the years and the trend continues here. Not to worry though this is not a critical vulnerability and while something you want to patch; it is certainly not top priority.

MS14-034 on  the other hand is a critical vulnerability for Microsoft Word that you likely will see active exploits for. The good news though is that the latest major release versions of Word, such as included with Office 2013, are not affected. This is a great reminder that sometimes when budgeting and thinking about security it is not simply about buying some new protection appliance but making sure your organization has migrated from things like Office 2007 to Office 2013 etc… One important point to note is this vulnerability allows for code execution as the user privilege that opened the document. This is yet another great reminder of implementing least-privilege to make sure your users are not running as Administrator.

MS14-035 is the bulletin you have been looking for. In short – Internet Explorer was broken every which way today. There are a significant number of Internet Explorer code execution and related vulnerabilities patched by this bulletin. Essentially if you running Internet Explorer 6 through 11 – you are vulnerable. This bulletin also resolves two previously publicly disclosed vulnerabilities. One of those previously disclosed vulnerabilities would help attackers potentially intercept and decrypt portions of encrypted TLS traffic. There are also other useful vulnerabilities to attackers that allow for elevation of privilege. By default Internet Explorer runs code in low-integrity mode which means when it is exploited an attacker can do less with a system. There are 3 different vulnerabilities fixed here though that allow an attacker to go from low-integrity to medium-integrity; or basically to run code as the user of Internet Explorer. This is another great reminder of the need to implement least-privilege so that even when an attacker breaks out of Internet Explores low privilege modes they are still not obtain Administrator without a fight. More than just fixing bugs though Microsoft has also included updates to Internet Explorer’s XSS Filter to help prevent more cross-site scripting style attacks. This is certainly the most critical vulnerability to patch immediately.

MS14-036 brings back even more fun with GDI+. GDI+ is a graphics device interface for Windows and a reoccurring pain point from a vulnerability perspective. Part of the challenge is because GDI+ vulnerabilities tend to affect multiple Microsoft products including in this case base operating systems and Microsoft Office. Good news again here for those running Office 2013; it is not affected. But the bad news is as mentioned this also affects base OS components which in this case is every supported OS version from Microsoft. And not to pile on further bad news but Microsoft also suggest exploit code is likely. Given what we have seen from GDI+ in the past we suggest also getting this patched immediately. One of the two vulnerabilities fixed in this bulletin is likely to be exploited via the WebDAV protocol which by default on Windows is supported via the WebClient service. As we have recommended many times in the past this service should be disabled by default within GPO.




, , ,

Leave a Reply

Additional articles


Adobe Patches Zero-Day Flaw Being Exploited in the Wild

Posted January 22, 2015    BeyondTrust Research Team

Earlier this week, French malware researcher Kafeine reported on a new Adobe Flash zero-day vulnerability that was being exploited in the wild using the latest versions of the Angler Exploit Toolkit. “Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to (included) is installed and enabled”…

, , , , ,

Your Data Security Strategy Starts with Deploying a Least Privilege Model (part 2 of 2)

Posted January 22, 2015    Scott Lang

In last week’s blog, we talked about how controls and accountability must be put into place so that only the right folks can access data and the systems on which that data resides, and that employing a least privilege model helps to achieve that and more. We’re using conclusions and data from a recent report…

, , , ,

Basic Blocking and Tackling for Defending Against Advanced Targeted Attacks

Posted January 22, 2015    Larry Brock

With football season at its pinnacle at both the college and professional levels, the best teams continually focus on the fundamentals that make them successful. In security, we need to do the same.  It is okay for us to have a few key plays, especially in certain industries where we have to focus on unique…

, , , , ,