With this Microsoft Patch Tuesday update for March 2014, we see that Microsoft has released five updates, with two rated as Critical and three rated as Important by Microsoft. This is an average size security update for Microsoft for this time of year as we have generally seen Microsoft release 5-7 updates for the month of March on average over the past 10 years.
The first update from Microsoft for this March Patch Tuesday security update is MS14-012 and attempts to resolve one publicly released vulnerability and seventeen other security related issues with Microsoft’s Internet Explorer. These vulnerabilities may result in a Remote Code Execution scenario when a user views a specially crafted webpage with Internet Explorer (IE) . These vulnerabilities affect all current versions of IE (versions 6 to 11) and affect both server and desktop platforms. In fact, the only platforms not affected by this update are the Microsoft Server Core operating systems which do not include (by default) Internet Explorer. If the targeted organisation has followed industry best practices and limited the rights to standard user accounts, then this vulnerability will only have the rights and privileges of the logged in user - thus, reducing the potential negative impact of this security issue. At present, Microsoft has not documented any mitigating factors and nor are there any available work-arounds for these reported vulnerabilities. This update is interesting, due to the large number of people and disparate teams involved in the reporting of these IE related vulnerabilities. Of course we have the HP Zero Day Initiative involved, but for this issue, we also have Palto Alto Networks, Qihoo , FireEye , and Symantec to thank as well.
The second update rated as Critical from Microsoft for this March Patch update cycle is MS14-013 which deals with a single reported vulnerability in a key graphical component of the Windows desktop platform called DirectShow. This update, like it’s IE predecessor, may result in a Remote Code Execution scenario when a user selects (clicks) on a specially crafted image (JPEG) file. Again, if the target organisation has followed industry best practices and reduced the administrative privileges for their standard users, this particular security issue will only result in the same security level as the logged on user. DirectShow is a series of graphical API’s published by Microsoft that relate to the playback of audio and video on desktop platforms. As Microsoft’s DirectShow technology relates only to Microsoft desktop platforms, this vulnerability and corresponding update does not apply to Microsoft’s Server (Server 2008 and Server 2012) and RT platforms. The most common approach for attacks to exploit this vulnerability is to convince (trick) a user to click on a specially crafted image on a specific web page. Fortunately, this vulnerability is not exposed through the reading of an email as the user must click on an attached image included in the infected message to infect that local machine. Other than quickly testing and releasing this update to your environment, Microsoft has not released any documented work-arounds for this vulnerability.
Probably the most serious update rated as Important (rather than Critical) by Microsoft for this March Patch Tuesday update is the patch to the Windows Kernel Driver sub-system with the patch MS14-015. This update attempts to resolve one privately reported and publicly reported vulnerability that may lead to an Elevation of Privilege attack scenario. As I mentioned in my previous Microsoft Patch Tuesday postings, this type of vulnerability is a recurring theme within the Microsoft security community and reflects the fact that this latest security patch updates a previous Microsoft patch that was released last year in December with the Microsoft update MS13-101. This update is most likely rated as Important by Microsoft as it requires valid logon credentials for an attacker to exploit this specific vulnerability.
The second update rated as Important by Microsoft, MS14-016 is an interesting one as it replaces at least two more general updates to vulnerabilities patched last year by MS13-032 and a two year-old vulnerability in the LDAP component of Microsoft’s directory service with the update MS11-095. I say it was an LDAP issue, but it is generally referred to a vulnerability in the Microsoft Active Directory Lightweight Directory Service (AD LDS). The primary vulnerability that this update attempts to address is how the client-to-server protocol SAMR handles brute force password attacks. Modern desktop platforms such as Windows 7 (all Service Packs) and Windows 8.x platforms are not affected. However, both 32 and 64-bit Microsoft server platforms are affected as well as legacy desktop platforms such as Windows Vista and Windows XP. At present, Microsoft has not documented any workarounds or mitigating factors for this vulnerability.
And the final update for this March Patch Tuesday (MS14-014) is also rated as Important by Microsoft and Important by me as well. The reason? It affects both Microsoft and Mac users. Silverlight is a very pretty and pretty useful runtime environment for web developers that was first released in 2007 and had it latest update in May 2012. This Microsoft Patch Tuesday update is not so much an update as an upgrade to Silverlight version 5.1.30214.0 which is the first version which is not affected by this security vulnerability. This update attempts to maintain the integrity of two security functions in Silverlight referred to as Data Execution and Protection (DEP) and Address Space Layout Randomisation (ASLR). This update is interesting as well, as the Security Bypass vulnerability may lead to a Remote Code Execution scenario leading to an attacker with the same rights and privileges as the logged in user. However, if you are worried about running Silverlight in your server environment (please don’t - why would you run Sillverlight applications on your server??) there is security backstop provided by Microsoft with the Enhanced Security Configuration mode which mitigates this issue completely.
This article is published as part of the IDG Contributor Network. Want to Join?