Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

May 2014 Patch Tuesday

Posted May 13, 2014    BeyondTrust Research Team

May’s Patch Tuesday contains eight bulletins addressing 13 issues, fixing Internet Explorer, SharePoint Server, Office, Group Policy Preferences, Windows, the .NET Framework, and iSCSI.

MS14-022 fixes three vulnerabilities in Microsoft SharePoint Server, the worst of which could be used to execute arbitrary code on a targeted SharePoint server. The attacker would need to be authenticated and have the ability to send maliciously crafted page content to the server. These vulnerabilities have not been publicly disclosed, nor have they been used in the wild. No non-patch mitigations exist, so it is strongly advised to deploy this patch as soon as possible.

MS14-023 addresses two vulnerabilities in Microsoft Office. One of the vulnerabilities, CVE-2014-1756, is a classic DLL preloading vulnerability, which means that an attacker can plant a malicious DLL into the same directory as a legitimate document. When the user opens the document, the malicious DLL will be executed, causing arbitrary code to be executed in the context of Office. This can be mitigated by blocking ports 139 and 445 at the perimeter firewall, preventing the WebClient service from running, and preventing DLLs from being loaded from WebDAV and remote shares. The other vulnerability addressed in this bulletin, can allow an attacker to impersonate a user authenticated against a Microsoft online service. Deploy this patch immediately to protect against attacks targeting these vulnerabilities; the DLL preloading vulnerability is very easy to exploit with publicly available, reliable, easy-to-use tools.

MS14-024 fixes an ASLR (address space layout randomization) bypass in MSCOMCTL, a shared common controls library used by Microsoft Office. While the vulnerability has not been publicly disclosed, it has been observed in targeted attacks in the wild. The vulnerability itself is not enough to gain remote code execution on a system, but when coupled with another remote code execution vulnerability, this ASLR bypass makes it far easier to achieve reliable code execution on affected systems. Administrators are advised to patch this vulnerability immediately to protect against active attacks.

MS14-025 fixes a publicly disclosed vulnerability in Group Policy Preferences. This vulnerability has been exploited in the wild. The vulnerability itself exists in the way that Active Directory distributes passwords, when configured using Group Policy preferences. Using this vulnerability, an attacker would be able to decrypt the passwords that are distributed and use them to authenticate against systems on the network, thereby elevating their privileges on the domain. Deploy this patch immediately to protect against active attacks.

MS14-026 addresses a vulnerability in the .NET Framework, which occurs when handling TypeFilterLevel checks on specially crafted objects. Attackers could exploit this in order to elevate their privileges and escape from any existing .NET trust restrictions. While no direct mitigation exists for this vulnerability, administrators can lessen the ease of exploitation by restricting access to the affected application to only authenticated users, by enabling security when registering a channel. Administrators are advised, however, to deploy this patch when possible.

MS14-027 fixes a privilege elevation vulnerability in Windows, which could allow attackers to elevate their privileges to the Local System account. The vulnerability lies within the way the ShellExecute Windows API handles file associations. While the vulnerability has not been publicly disclosed, it has been observed in targeted attacks in the wild. No non-patch mitigations exist. Administrators are encouraged to deploy this patch as soon as possible.

MS14-028 addresses two denial-of-service vulnerabilities that occur when handling iSCSI packets and connections. The vulnerabilities only exist when the server has the iSCSI target role enabled. Attackers that successfully exploit either of these vulnerabilities would be able to stop an affected server from responding by sending a large number of specially crafted packets to the affected server. Block TCP port 3260 at the perimeter firewall and whitelist access to servers with the iSCSI role enabled to only specifically permitted clients. Deploy this patch when possible.

MS14-029 addresses two vulnerabilities that could be used to remotely execute code on a user’s system. These vulnerabilities both affect Internet Explorer 6 through 11. While neither of these vulnerabilities were publicly disclosed, reports of targeted attacks have surfaced regarding CVE-2014-1815. Both of these vulnerabilities can be mitigated by blocking ActiveX controls and blocking or disabling Active Scripting in both Internet and Local intranet zones. Deploy this patch immediately to protect against active attacks.

Be sure to patch Office (MS14-023), MSCOMCTL (MS14-024), Group Policy Preferences (MS14-025), and Internet Explorer (MS14-029), followed by SharePoint Server (MS14-022) and Windows (MS14-027), followed lastly by the .NET Framework (MS14-026) and iSCSI (MS14-028). Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, May 14 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!

Internet Explorer has been getting attacked a lot in recent weeks, being the entry point in targeted attacks. It caused Microsoft to issue an out-of-band patch for IE, even for XP, which they said would receive no more patches. Has this caused your organization to reconsider moving to another default browser for security reasons?

Most insightful and/or awesome answer wins!

>> VEF News Articles

After Heartbleed, Tech Giants Fund Open Source Security

Canada Revenue Agency Hit by Heartbleed

Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA

Coupling Functions Enable Secure Communications

How We Got Read Access on Google’s Production Servers

Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly

, , ,

Leave a Reply

5 Responses to “May 2014 Patch Tuesday”

  1. Christopher

    We are looking to move away from IE and looking at Chrome or Firefox.

    May 14, 2014 1:16:08, Reply
  2. Barb

    Internet Explorer is constantly getting attached and has forsed our company to begin allowing Providers to download and use Chrome for their browser. However, our EMR software has to use Explorer to run so we are worried that enableing employees to make Chrome their default will cause problems when working in our Allscripts EMR. I would love to find an easy way to secure IE but instead end up searching and patching constantly.

    May 14, 2014 1:22:10, Reply
  3. Ron

    IE will always be attacked in earnest. Unfortunately, three key vendors rely upon it; alternate browsers are not an option.

    May 14, 2014 1:25:04, Reply
  4. Abner

    The corporation has considered going to a browser like Chrome because it is being updated realtime and will keep up more with the application cadance needed to support a browser independent open environments that are hardened. This considerationis because the IE browser and other Mircrosoft integrated application keep making the end user systems more and more vulnerable.

    Want the Nexus 7.


    Abner Piedramartel

    240-506-3574 or 240-997-4808

    May 15, 2014 4:27:41, Reply
  5. Mona

    Most unfortunately, the attacks have not caused our organization to explore other options for a browser solution. We are a small business, and there are only two of us supporting the entire user base. I think that the learning curve for changing to a new browser would be more than any of us could take (us or the users). I do however often encourage users to try Chrome at home, hoping it will give them the independence and confidence to use it here in the office should the day come that we are no longer interested in playing the reactive security role with IE.

    May 15, 2014 7:30:04, Reply

Additional articles


Answering the age-old question, ‘What’s plugged into my network?’

Posted October 9, 2015    Alejandro DaCosta

“What’s plugged into my network?” is a question I hear frequently from security administrators. And, really, it’s no surprise why. No longer do we have to account just for the physical servers in our datacenters, workstations and a few network devices. Now we need to keep track of roaming laptops, dynamic virtual systems, off-site cloud deployments and BYOD.


Closing the Vulnerability Gap

Posted October 7, 2015    Brian Chappell

Managing vulnerabilities is a significant challenge for many organizations. The main difficulties with managing this manifest in two key areas. The first is that the list isn’t static. The second is priority.


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.