Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

March 2014 Patch Tuesday

Posted March 11, 2014    BeyondTrust Research Team

March’s Patch Tuesday brings five patches to us, fixing Internet Explorer, DirectShow, Silverlight, kernel-mode drivers, and the Security Account Manager Remote Protocol.

MS14-012 fixes 18 unique vulnerabilities, one of which has been publicly disclosed: CVE-2014-0322. This vulnerability has been exploited as early as January 20, 2014, being used in targeted attacks against visitors to the U.S. Veterans of Foreign Wars’ website, as well as organizations associated with the French aerospace association, GIFAS. More information about these attacks is available at the FireEye and Websense blog posts. Microsoft has released an advisory about this vulnerability, as well as an MSHTML Shim Workaround to mitigate this vulnerability until the patch can be applied. Reports confirm that at least one of the attacks aborted the exploitation process if EMET is installed, rather than trying to bypass it, so if you were using EMET and were attacked during these campaigns, you would have been protected. While this vulnerability has received much public attention, it is also worth noting that another vulnerability patched in this bulletin, CVE-2014-0324, has been exploited in targeted attacks. Suffice it to say that it is extremely important to install MS14-012 as soon as possible.

MS14-013 fixes a critical vulnerability in DirectShow. This vulnerability was not publicly disclosed, nor was it exploited in the wild. The vulnerability itself lies within how JPEG images are parsed by DirectShow, which means that exploits targeting this vulnerability will likely be delivered through compromised web pages or embedded within documents that are sent as part of a targeted email campaign. Because the vulnerable code exists outside of the kernel, users that are running with least privileges (non-admin), will be least affected by this vulnerability, because the attacker will not be able to do as much on a machine compromised by exploiting this vulnerability. Attackers will be particularly interested in this vulnerability because DirectShow has seen little activity over the last year in terms of vulnerabilities patched, with the only patch to DirectShow in 2013 being provided in MS13-056.

MS14-014 fixes one important vulnerability in Silverlight 5. The vulnerability permits attackers to bypass ASLR and DEP, two effective exploit mitigation technologies when combined with each other. In order to take advantage of the vulnerability fixed by MS14-014, however, an attacker would require the use of a secondary exploit in order to achieve code execution on the system. From that point, they would leverage this vulnerability to bypass ASLR/DEP. We saw an ASLR bypass fixed in the .NET framework back in January with MS14-009, and the month before that with MS13-106 fixing an ASLR bypass with Office, so security feature bypass vulnerabilities are being actively investigated and subsequently fixed. While this was privately disclosed and no exploits have been observed to target this vulnerability in the wild, until you can get the patch deployed, simply block Silverlight from running in Internet Explorer, Firefox, and Chrome.

MS14-015 addresses two separate vulnerabilities in Windows kernel-mode drivers. CVE-2014-0300 is a privately reported elevation of privilege vulnerability, whereas CVE-2014-0323 is an information disclosure that was publicly disclosed; no reports of exploitation of either vulnerability have surfaced. It’s worth noting that CVE-2014-0323 is an information disclosure vulnerability only for older versions of the affected versions of Windows; in newer versions of Windows, the vulnerability only manifests as a denial of service. In order to exploit either of these vulnerabilities, an attacker must be able to locally authenticate against the system, which is common among kernel-mode driver vulnerabilities.

MS14-016 addresses a security feature bypass vulnerability in the Security Account Manager Remote (SAMR) protocol. This vulnerability exists because Windows fails to correctly validate user lockout states, meaning that an attacker can brute-force username/password combinations without fear of locking out a user account, which would prevent the attacker from guessing further passwords for that account. While an attacker can use this vulnerability to gain access to an account via brute-forcing, the attacker must already know a target’s username and be able to connect to the domain controller. This will be a large deterrent for attackers considering investigating this vulnerability, since other more lucrative and less noticeable attacks are made possible with this month’s collection of vulnerabilities.

Be sure to patch Internet Explorer (MS14-012), followed by DirectShow (MS14-013), Silverlight (MS14-014), kernel-mode drivers (MS14-015), followed lastly by the SAMR protocol (MS14-016). Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, March 12 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Mini!

Are you ready to say “Adios!” to XP?

Most insightful and/or awesome answer wins!

>> VEF News Articles

IE10 0day In the Wild

Linksys Worm “TheMoon”

Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act 

EMET 5.0 Technical Preview

Yahoo Email Crossdomain Info Leak

I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis

>> VEF Questions & Comments

Mona was interested about, “…the difference between a privately and publicly disclosed exploit?” Exploit and vulnerability can be used interchangeably here. Public disclosure involves a researcher or InfoSec person (IT Admin, CSO, etc. etc.) that has publicly announced the existence of a vulnerability and/or exploit. A privately disclosed vulnerability/exploit is usually one that has been responsibly disclosed to the vendor responsible for fixing the problem. There are a few variations regarding publicly and privately disclosed issues, but most fall into these two categories.

Joseph wanted to know, “when you state that Chrome has not seen active exploits that is for that particular KB correct?” We mean that Chrome has not had *ANY* in the wild exploits… that have been discovered. Companies like VUPEN have Chrome 0day in their repositories, and sell exploits like that to state-like entities with deep pockets. There may be exploits for Chrome actively being used out there, just like there may be exploits for any piece of software used in the wild.  The difference between Internet Explorer/Firefox and Chrome is that no exploits for Chrome are publicly available. No attack campaigns have specifically leveraged a weakness in Chrome. No exploit frameworks or exploit kits have exploits for Chrome either.

Dan asks, “Who is Pinkie Pie?” Answer: he’s a legit teenage hacker that has repeatedly pwned Chrome

Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly

, , ,

Leave a Reply

10 Responses to “March 2014 Patch Tuesday”

  1. Jeffrey

    Windows XP has served us well, and done it’s job. Rather than letting the poor thing die in peace, Microsoft will throw it to the wolves and stop supporting it. lol, A fitting end to one of histories most successful products!

    March 12, 2014 1:24:59, Reply
  2. Ben

    We are so over XP that we migrated to Windows 7 two years ago!

    March 12, 2014 1:25:06, Reply
  3. Erast

    We are ready. All remaining XPs are on upgraded list by April!

    March 12, 2014 1:25:48, Reply
  4. Jim

    Are we ready to say aidos to WinXP! Si! But several of our users are kicking and screaming about their need to keep running their 15 year old applications or their need to keep testing with XP clients since much of the world is kicking and screaming….

    Anyway, that’s ok. We’ll let them stay on XP. But off our domain and off the network they go. They’re going to buy air cards for Internet access. They’re dead to us.

    March 12, 2014 1:28:45, Reply
  5. Troy

    Saying bye-bye to XP is hard for some orgs like MFG. Many equipment suppliers are still selling embedded XP and fully integrated-systems. Replacing some of the existing systems can cost in the hundreds of thousands of $$ so those orgs are not likely to migrate soon. They will likely wait for a catastrophic system failure before replacing with a newer OS and then it is dependent on the eqt mfr to have a newer OS solution.

    March 12, 2014 1:31:47, Reply
  6. Barb

    Respose to Are you ready to say adios to XP? The Grants Pass Clinic is ready to say adios to WIN XP. we only have 2 computers running xp and that is only because they are physically connected to old hardware that will not work on newer WINDOWS OS. These old harwares include a holter monitor that connects to the computer and transmits heartbeat info to legacy software that refuses to evolve into the 21st century. Another computer is connected to an old treadmill again using old software to convert data into chart format. All of our other 200 computers are running Windows 7 Pro, so we are ready to say “Adios Windows XP, nos sirvio bien!”

    March 12, 2014 1:33:05, Reply
  7. Dawn

    We are ready to retire xp! converted to windows 7, not 8 for the users’ sake. Bring on the ipad mini! Why is it an apple giveaway on a windows survey? An apple a day keeps the attackers away?!

    March 12, 2014 1:42:08, Reply
  8. Bill

    During your webcast you mentioned a contest concerning giving away an iPad Mini – Registering plans to x-out XP However I see no link here to do so.
    That being said – I am actually phasing out our last hidden XP box Today. We are currently running an 8.1 platform.

    March 12, 2014 1:56:08, Reply
  9. William

    Sonnet for Windows XP:

    With the passing of our longtime friend XP
    What a journey we had along the way
    Oh but nothing in tech is here to stay
    On to a new desktop OS for me
    No longer will we have our patching spree
    Or update drivers for the RAID array
    It is hard to find new games that you play
    Since Microsoft has stopped supporting thee

    What will we do to fill all our time now
    I guess we will have to learn something new
    How you served us so well, for the most part
    Your long run was Microsoft’s big cash cow
    Hey recall the firewall in SP2 -_-
    Now we are left with 8 and can’t click: start

    In all seriousness, it was a good ride and it should be over. I just wish some software developers would move on though. Hey as one of our vendors suggested for their app “Windows XP Embedded POSReady 2009” will be supported until April 9, 2019. So XP in some form will be around for quite some time.

    March 12, 2014 5:31:53, Reply
  10. Ben

    Windows XP has been around for almost the entire time I have been working with computers professionally. It really helped set up Microsoft for a more “modern” looking OS after the versions of Windows 9x (including ME) that came before it, and building on and making the GUI more friendly and less like the earlier versions of NT. It was so successful that people seem to have developed a level of loyalty to it that goes beyond anything Microsoft expected. It became the OS that most of the world experienced the global Digital Revolution and explosion of the internet with. People became attached to it as a kid does with a stuffed animal they cannot sleep without, and they took comfort in how it worked and how it looked. That has been shown over and over since when Microsoft tries to stray too far and too fast from what people have become familiar with. There is a backlash against it, and people stick with what they are most familiar and comfortable with. A large amount of the blame goes to Microsoft themselves for allowing people to expect that Windows XP would always be there…always be a constant in their lives and never change since Microsoft never updated it beyond small tweaks. Now, however, it is time to put the venerable OS to rest and let it become a distant memory as technology ever marches onward. I, for one, am quite ready to say Adios to XP and the many ancient machines it still runs on. This is due in no small part to several of those ancient machines being owned by family members who do not hesitate to complain to me every time their machine runs slow and expect me to be able to work magic and allow it to stagger on. 😉 It is time for the Operating Systems to be updated, the machines to be renewed, and everyone to embrace the future and be excited about what new technologies lie ahead instead of looking back and holding onto that old, broken memory of past computer joys. Adios, XP! We will always remember, but you will not be missed.

    March 14, 2014 1:58:21, Reply

Additional articles


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.

3d image Data Breach issues concept word cloud background

Experian/T-Mobile Data Breach: When 2 Days is not Enough

Posted October 2, 2015    Morey Haber

On October 1, Experian admitted full responsibility for the loss of T-Mobile customer data. 15 million user records dating back to 2013 were effected in the breach, with data including sensitive information that may be decryptable like social security numbers and drivers licenses.


Who Moved My Front Door? (What is Privileged Account Management?)

Posted October 1, 2015    Nigel Hedges

Not too long ago, I was sitting in a room with a very fluffy sales guy. In between words such as “we’ll make this happen” and “leave it with me, I’ll get it sorted” he asked the question “What is Privileged Account Management”?