Microsoft Patch Tuesday for February 2014

With this February Patch Tuesday release from Microsoft, we see 7 security bulletins with four updates rated as Critical by Microsoft and the remaining bulletins rated as Important.

The first update for February is MS14-007.  It has been rated as Critical by Microsoft and is a Remote Code Execution vulnerability in the Microsoft Direct2D graphics API. Microsoft’s Direct2D graphics component is a hardware accelerated, immediate-mode set of APIs that increase the rendering speed of graphics in supported applications (such as Microsoft’s Internet Explorer). As with most Remote Code Execution security issues, this update attempts to address a memory corruption issue that could be exploited by an attacker. This security issue requires a user to take a specific action on a specially crafted web page or email. As Microsoft’s Direct2D technology was a key update in the Windows 7 and Server 2012 platforms, all of these and later desktop and server operating systems are affected. As a consequence, all platforms earlier than Windows 7, i.e. Windows Vista and Windows XP, are not affected. This vulnerability was raised by Omair from Zero Day initiative, and if a machine is comprised through this type of attack, the 3rd party will achieve full administrative rights on the targeted machine.

The second Critical update for February is MS14-008 and relates to a vulnerability in Microsoft’s anti-spam and anti-malware technology Forefront Protection for Exchange 2010. This is not the first time a critical vulnerability has surfaced in a Microsoft anti-virus or anti-malware technology as Windows Defender has had a number of core vulnerability updates over the past few years. If you are using Office 365, then you don’t have to worry about this security issue. However, if you are managing your own Microsoft Exchange servers, then this is an update with a limited testing profile that should be quickly deployed.

The next Critical update, MS14-010 relates to a massive 23 vulnerabilities in Microsoft’s Internet Explorer (IE), the most severe of which could lead to Remote Code execution. This collection of security vulnerabilities affects all versions of Internet Explorer from version 6 all the way to version 11, including Windows RT. If you employ the Server Core operating system approach (minimalist installation), then you will not be affected as IE is not included in these deployments. This is a massive update with a large vulnerability profile and so MS14-010 gets the “Patch Now" award for February.

The last Critical update from Microsoft this month is MS14-011 and relates to a privately reported vulnerability in the Microsoft Visual Basic Scripting engine (VBS) that could lead to Remote Code Execution scenarios.  This security vulnerability affects all versions of Windows desktops and server operating systems. You may wonder which version of the Microsoft scripting engine is currently deployed to your desktop as certain versions are included in the core installation. However, you may have upgraded versions over the years using the example of Internet Explorer Version 8 which updates the Microsoft VBS engine to 5.8. That all said, with this update, you needn’t worry as every version is exposed to this Remote Code Execution attack. This is a “Patch Next” update.

Taking the first update rated as Important for this month, MS14-005 relates to a vulnerability in Microsoft’s XML data-handling technology which could lead to Information Disclosure type attacks through the use a specially crafted web page viewed with Microsoft’s Internet Explorer (IE). This Critical update from Microsoft relates to all desktop and server platforms though interestingly it does not affect the core Microsoft XML Services modules version 4 through 6. In the event that your organisation is not able to distribute this update quickly enough, Microsoft has provided a handy registry update workaround that can be deployed through Active Directory that mitigates against this type of attack.

The next update rated as Important by Microsoft for February is MS14-006 which relates to a denial of service vulnerability in the IPV6 networking component. This update attempts to resolve a publicly disclosed issue which could allow an attacker to send a large number of specially crafted IP (network) packets to an affected system resulting in a loss of service. To be successful, an attacker must be on the same subnet as the affected system. This update affects Windows 8, Server 2012, Windows RT systems and importantly Server Core Installations.

The final update rated as Important for this month’s release of security updates from Microsoft is MS14-009, which attempts to resolve two publicly disclosed vulnerabilities in the Microsoft .NET Framework. The most severe of these two security issues could result in an Elevation of Privilege scenario. The update MS14-009 affects all Windows and Server platforms. Somewhat confusingly MS14-009 does not apply to versions 3.0 (Sp2) and version 3.5 (SP1) of the Microsoft .NET Framework and the 2008 version of Windows Server Core installation is not affected as well.

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon