Patch Tuesday: Microsoft Issues 8 Updates

Wednesday, May 14, 2014 @ 10:05 AM gHale

Two critical advisories released on Patch Tuesday from Microsoft.

Microsoft identified three of advisories: MS14-024, MS14-025, and MS14-029, the IE patch, as priority one patching concerns. MS14-029 which is the update to IE is the only one of the two critical issues to receive the patching priority one designation. The other critical, MS14-022, affecting SharePoint is a priority two for patching. This is due to the complexity of the attack and it ended up privately reported and, therefore, not a public exploit.

Microsoft Patches IE Zero Day
Microsoft Fixes Security Essentials Bug
No More XP after Patch Tuesday
Patch Tuesday: XP, IE Take Center Stage

MS14-029 is an interesting advisory. It is not a cumulative rollup fix for IE, which breaks with the recent trend of IE patching, but it does re-include the patch for MS14-021 which ended up fixed outside of the normal patch cycle on May 1. It’s not yet clear if this modifies the original fix or simply provides another vector for customers to get it.

One of the other CVEs fixed in this advisory is under limited, targeted attack. Also, there are two types to this patch for Windows 8.1 users, one for those who took the “Spring 2014 update rollup” and one for those who did not. This is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available.

IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Microsoft ended support for XP in April.

Of the other two, important but highest patching priority issues, MS14-024 is a fix for an ASLR bypass. That means this issue is not really an exploit in and of itself, hence the “important” designation, but a weakness used in conjunction with other exploits to increase the likelihood of successfully controlling the location of memory manipulation. MS14-024 has seen use in conjunction with other attacks.

MS14-025 isn’t really a fix for the underlying issue, it just stops system administrators from doing something that weakens their overall security going forward by preventing them from specifying a local administrator password in group policy settings where anyone on the network can recover it in a reusable form. However, administrators who have already made that mistake will not have the setting removed and will still have to take other measures to plug that hole.

MS14-027 is an elevation of privilege issue privately reported to Microsoft, and is seeing limited, targeted attacks.

MS14-028 is a denial of service affecting Windows Servers with the iSCSI service installed. The service is not a default setting on Windows 2008 or 2008 R2, and is in, but disabled by default on Windows 2012.

Leave a Reply

You must be logged in to post a comment.