Microsoft Patch Tuesday for June 2014: A BSOD Beckons?

With this Microsoft Patch Tuesday for June, Microsoft has released two updates rated as critical, with the remaining five patches rated as important. This is an average size security update for Microsoft with two urgent patches and one update that you may want to heavily test before deploying to your server environment.

MS14-035 -- Critical

The first critical update for this June Patch Tuesday is MS14-035 which updates Microsoft’s Internet Explorer (IE) to prevent a potential remote code execution vulnerability.

This patch addresses two publicly disclosed vulnerabilities and a whopping 57 privately disclosed vulnerabilities. At present, Microsoft believes that none of these security vulnerabilities have been exploited. Microsoft has offered their standard response to ActiveX and Active Scripting security issues by essentially advising people to disable both of these technologies. Both ActiveX and Active Scripting allowed for the instantiation of Microsoft COM objects, which for those in the know, effectively allows for 'anything to happen' on your desktop. From a security perspective, this is not a good thing. This IE update is a massive file update covering almost the entire IE code base of 47 files. Crucially, the three most commonly utilized files by desktop application developers (URLMON.DLL, WININET.DLL and MSHTML.DLL) have been updated.

I believe that this is the largest number of vulnerabilities addressed in a single Microsoft patch. To be fair to Microsoft, Active Scripting (formerly ActiveX Scripting) was released in 1996 with Internet Explorer 3.0 and was not really up to the task of managing the complex security environment of today’s Internet.

Given this significant vulnerability profile and the very significant file update included in this patch, I would rate this update as a 'patch now but test heavily' before deployment.

MS14–036 -- Critical

The next update rated as critical by Microsoft is MS14–036 and relates to two privately reported vulnerabilities in Microsoft’s Windows and Office platforms as well as Microsoft's Lync communication application.

This remote code execution vulnerability relates to how Microsoft's GDI+ core graphical component handles records and it appears that Microsoft's legacy web-based file sharing protocol (WebDav) is the most likely remote attack vector. GDI+ has long been an ideal candidate for web-based security vulnerabilities due to the way it handles (i.e. explicitly trusts) specific file information such as fonts. Previously, Microsoft has released security updates relating to both font-based vulnerabilities (MS13-053) and GDI components (MS13-054) in the same month.

Given how most applications are developed and how they function with the GDI+ programming interfaces, the potential for application dependency issues is generally very low. This update is a 'patch now', with a light testing profile.

MS14-034 -- Important

The first update for this June Patch Tuesday rated as important by Microsoft is MS14-034, which relates to a privately reported vulnerability in Microsoft Word, which could result in a remote code execution scenario. This Microsoft patch updates three core files for Word: WINWORD.EXE, WWLIB.DLL and WORDCNV.DLL.

This patch only affects Microsoft Office 2007 and the Office 2007 Converter Pack. This vulnerability cannot be exploited automatically through an email attachment and a successful exploit would result in the same rights as the user.  For this attack to be successful, a user must open an attachment contained in an email message.

This patch should be included in your normal Patch Tuesday update cycle with a very light testing profile.

MS14-033 -- Important

The next update rated as important by Microsoft is MS14-033 and resolves a privately reported vulnerability in Microsoft’s XML Core Services (MSXML) through Internet Explorer.  This MSXML vulnerability could generate information disclosure scenarios. Given this patch’s lower rating (important) and less severe consequence (information disclosure), the standard advice might be to deploy with minimal testing.

Microsoft’s XML Core Services (MSXML) provides a “lower layer” to the standard desktop middleware stack, however. Specific application dependencies and hard-coded references are common for MSXML and upgrading a core component of your application stack may be cause for some serious testing.

If you have data-driven in-house developed applications, it may be best to pass this patch to your development team for full testing prior to general deployment.

MS14-032 -- Important

Microsoft Lync is updated again this month with the important update MS14-032 that patches Microsoft Lync Server (versions 2010 and 2013) for potential information disclosure security scenarios.

Though this update includes a large number of files, this patch payload mainly updates language and resource files. The potential for knock-on affects from this application-specific update are very low. Include this update in your normal server update cycle.

MS14-31 -- Important

The next update rated as important by Microsoft is MS14-31 and relates to Microsoft’s core network technology (TCP/IP) and may result in a denial of service (DOS) scenario.

This core networking update affects all versions of Windows desktop and server platforms except Server 2003.  Microsoft has updated the networking stack before with MS13-049 and MS13-018, both of which were minor updates to supporting TCP/IP files. This security patch updates the following core files of the Microsoft networking stack: NETIO.SYS, FWPKCLNT.SYS and TCPIP.SYS.

Remember the good old days when we had 'Blue Screen of Death' errors (BSoD) and STOP 0x00000050 error messages, which caused chaos with Windows Server. All of these files were implicated in numerous BSoD problems and required updates to anti-virus software and other network level scanning tools.

I would test this update on several different types of server platforms and then wait, wait, wait. This patch is a low priority and has the potential to cause serious server crashes and difficult debugging scenarios.

MS14-030 -- Important

The final update, rated as important for this June Patch Tuesday is MS14-030 and resolves a single privately reported vulnerability in Microsoft's Remote Desktop Protocol (RDP), which may lead to a tampering scenario. This security patch updates the encryption technology used by RDP when communicating between two clients by adding Microsoft’s own version of Datagram Transport Layer Security (DTLS).

This is a minor update to a more secure communication channel for a technology mostly used by IT professionals. Ensure that this patch is part of this month’s patch cycle as it has a light testing profile. 

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon