The first patch of the year for Microsoft January Patch Tuesday release cycle , MS14-001 deals with 3 privately reported security vulnerabilities (all relating to Memory corruption issues) affecting Microsoft Word where a specially crafted file, when opened will allow an attacker the same rights as the user. This vulnerability affects both 32 and 64-bit versions of all PC versions of Microsoft word. The fix offered by Microsoft in this update changes the way that Word parses files and prevents this type of remote code execution attack. Note that this vulnerability affects both RT versions of Word and the Web Services version as well. But, not the Mac version. Huh!
The second patch for this January 2014 Patch Tuesday update is MS14-002 and attempts to resolve a single publicly reported vulnerability. In this case, an attacker using a specially crafted application (EXE) would be enabled with elevated security privileges. For this attack to succeed, the attacker must also have valid logon credentials for the local machine. Standard domain access to a machine would preclude this type of attack and corresponding vulnerability. This patch addresses a zero-day security flaw that was raised in November 2013 and has seen “in the wild” exploits for Adobe Reader. Given that this vulnerability is present in Windows XP Service Pack 3, we can assume that all previous versions of XP (Service Pack 1 and 2) are susceptible to this form of attack as well. All I can say at this point is: April 2014 - Please get a move on. As a side note, I have stopped using Adobe Reader altogether as I use Google Chrome which employs its own integrated PDF viewer. Chrome’s PDF viewer is not perfect as it can’t read some PDF flavours and variations, but compared to the numerous security vulnerabilities and exploits directly targeting Adobe Reader, it’s a small price to pay.
MS14-003 is rated as Important by Microsoft and relates to an Elevation of Privilege exploit. Microsoft notes that the mitigating factors for reducing the impact of this Elevation of Privilege attack is to note that, “an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability”. What Microsoft is saying here, is that domain logons are good, and local access, especially local Administrator access is BAD. Following industry best practices and enforcing standard user rights through a domain environment eliminates this entire class of security vulnerabilities.
The forth and final update from Microsoft for our January Patch Tuesday patch cycle deals is MS14-004 and deals with Microsoft Dynamics and attempts to resolve one privately reported vulnerability. Microsoft reports that if an attacker delivers a specially crafted data-set to a Microsoft Dynamics Application Object Server, a successful attack could cause this server object to stop responding to client requests and thus create a Denial of Service condition. Microsoft does not offer any significant mitigating factors or workarounds for this Dynamics vulnerability.
January is always a relatively quiet month for the Microsoft Patch team. My suspicion is that due to Microsoft’s 2-3 week long vetting and validation process for security updates and the holiday period (and Christmas parties) there are simply fewer hands to get patches out for the following January release. Following this thinking, I bet that February will see a big patch release cycle with between 12 and 14 updates. Let’s see what happens.
This article is published as part of the IDG Contributor Network. Want to Join?