Big Patch Tuesday for Microsoft

Tuesday, June 10, 2014 @ 06:06 PM gHale

Microsoft fixed 66 vulnerabilities across seven bulletins in a huge June Patch Tuesday release, including a fix for an Internet Explorer 8 vulnerability they knew about seven months ago.

In all, there were 59 fixes in Internet Explorer.

Originally uncovered in October 2013, Hewlett-Packard Co.’s Zero-Day Initiative (ZDI) publically disclosed the IE8 vulnerability, CVE-2014-1770, last month after Microsoft failed to address it within six months, which is the amount of time ZDI allows a vendor to fix a flaw before issuing a public disclosure.

Warning over XP Update Trap
How to Mitigate Potential XP Vulnerabilities
Microsoft Extends Update Deadline
Patch Tuesday: Microsoft Issues 8 Updates

ZDI provided Microsoft a small amount of leeway past the six-month cutoff date to patch the vulnerability, which is a flaw in the way the browser handles CMarkup objects, but Microsoft still failed to provide a fix.

In a blog post detailing this month’s Patch Tuesday updates, Dustin Childs, group manager for the Microsoft Trustworthy Computing group, said Microsoft was not aware of any exploits taking advantage of the IE8 vulnerability and thus the actual effect on IE users was minimal.

“If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it? Similarly, does a vulnerability make a sound if it never gets exploited?” said Childs. “Until something actually occurs, it is still theory; we’re taking the theoretical and making practical updates against future ‘what ifs.'”

Besides the Internet Explorer 8 fix, Microsoft patched a record-breaking 59 browser vulnerabilities as part of its cumulative MS14-035 IE update this month.

Beyond the IE update, this month’s Patch Tuesday featured only one other bulletin, MS14-036, called “critical” by Microsoft. The bulletin fixes two privately reported, remotely exploitable vulnerabilities in the GDI+ graphics library found across numerous versions of the company’s Windows, Office and Lync software that can end up triggered via a malicious file or webpage. The flaws don’t allow for privilege escalation, according to Microsoft, so companies should configure user accounts with minimal access rights.

There were five other bulletins labeled “important:”
• MS14-030 resolves a vulnerability that could allow attackers to tamper with active Remote Desktop Protocol (RDP) sessions in Windows version 7 and 8, as well as Windows Server 2012.
• MS14-031 addresses a “particularly serious” denial-of-service vulnerability found in various versions of Windows and Windows Server. It could allow an attacker to send maliciously crafted TCP connections to a server, possibly resulting in an attacker knocking a server offline altogether.
• MS14-032 fixes a Microsoft Lync vulnerability that relies on a user clicking a malicious meeting URL, potentially allowing an attacker to obtain sensitive information from the session.
• MS14-033 patches a vulnerability largely affecting various versions of Windows that relies on an attacker luring a logged on IE user to a specifically crafted webpage, again resulting in information disclosure.
• MS14-034 resolves an Office 2007 vulnerability that can end up remotely exploited if a user opens a malicious file, giving an attacker the same account rights as the current user.

Leave a Reply

You must be logged in to post a comment.