This May update from Microsoft includes nine updates, eight of which have been released for this May Patch Tuesday. Microsoft released an earlier out of band (OOB) patch for the ninth. Of these nine security updates, three are rated as critical by Microsoft with the remaining six rated as important.
The first update from Microsoft for this May Patch Tuesday rated as critical is MS14-021. This patch to Internet Explorer (IE) resolves a publicly disclosed vulnerability that may result in aremote code execution scenario that affects how IE handles objects in memory. This vulnerability affects all versions of Microsoft 's Internet Explorer and may result in an attacker obtaining the same rights as the logged on user. This is a bit of a tricky update. If you have employed a previously published work-around from Microsoft, you will have to change the security settings on your tarket systems resource file, VGX.DLL. Before you can successfully update your target machines you need to reset your access control list (ACL) with the following command;
echo y| cacls "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" /g original ACLs
The next update rated as critical by Microsoft, MS14-022 relates to Microsoft 's SharePoint platform and if un-patched could also lead to aremote code execution scenario. This update affects all versions of SharePoint, SharePoint Foundation, Designer and also the Microsoft Web Office Server platform. This update attempts to address three separate vulnerabilities, two page content vulnerabilities (CVE-2014-0251 and CVE-2104-1813) and one cross-scripting vulnerabilitiy (CVE-2014-1754). Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code onto the local machine. Some common vulnerabilities may make your Web applications susceptible to cross-site scripting (XSS) attacks including
- failing to properly validate input, and
- failing to encode output, and trusting the data retrieved from a remote or shared database.
Cross-site scripting vulnerabilities are tough to detect and sometimes really tough to fix. To assist web developers with managing these kinds of serious vulnerabilities, Microsoft has released a toolkit designed to reduce the incidence of XSS vulnerabilities here. The third and last update rated as critical by Microsoft is MS14-029. In addition to the OOB update to Microsoft 's Internet Explorer earlier this month, we have an additional patch that addresses two privately reported vulnerabilities dealing with how IE deals with specially crafted web pages. This security vulnerability may result in a remote code execution scenario with an attacker gaining the same rights as the logged in user. This update affects all versions of IE (32 and 64-bit and RT versions). All modern Microsoft server platforms (2003/8/12) now run Microsoft's IE in an enhanced security configuration (ECM). Microsoft 's ECM is a security configuration specifically designed for servers to reduce the potential for these types of attacks. Unfortunately, the result of this enhanced lock-down mode sometimes results in pages not working as expected or not displaying correctly. For example, all ActiveX controls are disabled and Internet Explorer will warn the user when moving from a secure web-site to a non-secure website. These configuration issues are managed through specifically marking a site as Trusted for that server.
The next six updates released from Microsoft this month are rated as important and deal with remote code execution, elevation of privilege and denial of service scenarios.
The first update from Microsoft rated as important is MS14-023 which updates two privately reported vulnerabilities. Each of these security issues could allow aremote code execution (RCE) scenario when a user accesses a Microsoft Office file on the same directory as a specially crafted library file. One of the reported vulnerabilities affects the grammar checking component in Office, and therefore Microsoft's proofing tools are also affected by this security issue. This update affects Microsoft's Office versions 2007, 2010 and 2013.
The next important update is MS14-025 which addresses a publicly disclosed vulnerability in Microsoft 's group policy which could lead to an elevation of privileges scenario. At present, Microsoft has not published any mitigating strategies for this vulnerability.
The next important update for this May Patch Tuesday is MS14-026 which addresses one privately reported vulnerability in the Microsoft .NET platform which could lead to an elevation of privilege security issue. This update affects both the .NET 4.0 Framework and the .NET 4.0 Framework Client profile. The .NET Framework Client profile is a sub-set of the larger .NET Framework that is optimised for client applications. To find out more about the .NET 4 Client Profile, look here .
Microsoft also released patch MS14-027 which addresses a vulnerability in Windows Shell handler that could lead to an elevation of privilege scenario. This update resolves the way that Windows Shell Execute Application Programming Interface (API) handles certain file extensions. Microsoft has rated this security issue as important due to the fact the attacker would have to first log on to the target system and then run a specially crafted file. This update affects all versions of the Windows desktop and server platforms (both 32 and 64-bit). There are currently no published work-arounds for this vulnerability.
The penultimate important update for May is MS14-028 which attempts to address a vulnerability in the iSCSI interface that could cause a denial of service scenario. This denial of service vulnerability is caused by an attacker sending large amounts of specially crafted iSCSI packets over the affected network. This update is rated as important for Microsoft 's Server 2008 and all releases of Windows Server 2012. In the event that you choose not to update your servers with this security update, Microsoft has published a number of way to reduce the risk of this security vulnerability including;
- Limit the attack surface from untrusted networks by placing iSCSI on its own isolated network, separate from any network on which internet traffic flows.
- Configure your firewall to restrict access to TCP port 3260 to authorised iSCSI client IP addresses.
The final update for May from Microsoft is MS14-024 . This security update from Microsoft relates to a scenario where a Microsoft Common Control could allow a security feature bypass. This vulnerability can affect Microsoft Office 2007, 2010 and 2013. The control in question is used by most desktop and server applications and contains functionality to display calendar pickers, tool-bars and other use common features seen in today 's applications. This issue attempts to address the ASLR implementation found in this Microsoft control. Address Space layout Randomisation is a security technique employed by Microsoft ASLR to prevent attackers from using well know memory locations in system to run their own code. To find out more about Microsoft 's ASLR, look here. In addition to this security update, Microsoft has also published the Enhanced Mitigation Toolkit (EMET) for developers to help protect their applications from this type of security vulnerability.