For this July Patch Tuesday, Microsoft has released six updates, with two rated as critical, three as important and the final patch rated as moderate. Normally, this would represent an average update from Microsoft for this time of year. We also have seen the release of three advisories from Microsoft, which may relate to more important security vulnerabilities and patching processes than our standard monthly updates.
MS14-037 -- Critical
The first update from Microsoft that is rated as critical is MS14-037, which patches one public vulnerability, and 23 private memory corruption vulnerabilities, which may lead to remote code execution scenarios in Microsoft’s Internet Explorer (IE). This may sound like a large number of issues and judging by the number of Internet Explorer components and files that have been updated in the Microsoft patch manifest, things look serious. As this patch updates and replaces MS14-035 which also addressed a large number of memory corruption issues (58) , these twenty-free additional memory corruption issues appear to be related to the same class of issue and may be more a function of some much needed coding hygiene rather than responding to a significant vulnerability. I expect that we will see another batch of these types of issues included in the next IE patch cycle. With a high exploitability index for most of these security vulnerabilities, Microsoft recommends that you prioritise the deployment of this IE patch.
MS14-038 -- Critical
The second update from Microsoft for July that is rated as critical is MS14-038 and relates to a feature on the Microsoft Windows Server platform called Windows Journal and a security vulnerability in how this feature handles specially crafted (.JNT) files. This patch has a exploitability index of one and may lead to remote code execution scenarios on all Microsoft desktop and server platforms. The patch manifest for this update appears to update the entire file list (including executable and support graphics files) which is unusual for Microsoft. I am not sure how many people use Microsoft Journal even though it is shipped with most premium versions of Windows 7 and 8. In addition, with Microsoft’s OneNote and Evernote as full-featured competitors or alternatives, I suspect the user base and therefore the risk surface area is very small. Since you would need to open Windows Journal and then deliberately open a JNT file from an untrusted source, I am not sure about the level of risk that this vulnerability presents. Nevertheless, Microsoft has rated this update as critical and a number one priority for deployment.
MS14-039 -- Important
The next update from Microsoft for July is MS14-039 which resolves a privately reported vulnerability in Microsoft On-Screen-Keyboard (OSK) functionality and is rated as important, leading to elevation of privilege vulnerability scenarios. For those who have not recently used Windows on a touch-enabled screen, the OSK allows a user to move around the screen and enter text without a physical keyboard. This update should be part of your regular patch schedule. Similar to the other patches provided by Microsoft this month, this patch payload appears to contain all of the files related to the OSK, rather than a discrete update to a selected number of files.
MS14-040 -- Important
The next update rated as important by Microsoft is MS14-040 and relates to the Ancillary Function Driver (AFD) which could lead to an elevation of privilege scenario when a user runs a specially crafted executable. This exploit requires valid logon credentials for the user and the patch corrects the way the AFD validates input from user mode into the Windows kernel.
MS14-041 -- Important
The last update rated by Microsoft as important for July is MS14-041, which addresses remote code execution vulnerabilities in the Windows DirectShow graphics component. This particular vulnerability relies on an attacker successfully exploiting another lower level vulnerability and then using the DirectShow-specific vulnerability to gain the rights of the logged on user. This security issue is completely mitigated if you are using Microsoft Internet Explorer (64-bit) 11 on a Windows 8.x desktop as it employs Enhanced Protection Mode (EPM) by default. EPM ensures that add-ons, browser helper objects and extensions are only loaded if they are compatible with the EPM security model. This has two effects. The first is to vastly reduce your security exposure. Unfortunately, the second is to generate application compatibility and difficult trouble-shooting scenarios.
MS14-042 -- Moderate
The final update for this Patch Tuesday is MS14-042, rated moderate by Microsoft as it could lead to a Denial of Service (DOS) scenario. This particular security flaw affects the Advanced Message Queuing Protocol (AMQP) when a remotely authenticated user runs a specially crafted executable. AMQP is not generally installed on your standard enterprise server platforms and so for most of us this patch is both a low priority and a low risk. However, I am sure the Microsoft Azure team is busy right now making sure that this vulnerability is addressed on their systems.
The security advisories
The real story for this Patch Tuesday is not the security bulletins, but the security advisories from Microsoft. For July, we have three advisories that in turn relate to Adobe Flash; a significant update to how Windows validates credentials; and how Microsoft handles secure communication at the transport layer.
Microsoft security advisories are a supplement to Microsoft’s security bulletins, which may be issued quicker than a patch or update bulletin. Generally, Microsoft security advisories focus on providing clients with security information related to a rapidly changing situation. As a rule, bulletins contain files, advisories give notice or advice and sometimes registry updates. Following the format of Microsoft security bulletins, I have outlined some of the key features in the following Microsoft security advisories
This security advisory is actually an link to Adobe Flash player which affects all Windows 8.x and Server 2012 platforms. This Microsoft advisory addresses the vulnerabilities raised in Adobes Security bulletin APSB14-17. Adobe has rated this update a priority one for all version of Flash player and a three for Adobe Air. Adobe recommends that an update with a rating of one is patched within 72 hours.
This Microsoft security advisory (2871997) is a series of registry changes designed to enhance the security of Widows domain authentication protocols and prevent the theft of credentials through an update to the Restricted Admin mode. This security issue affects all Windows 8.x and Server 2012 platforms. The primary reason for this update is to prevent a particular man-in-the-middle attack called Pass-the-Hash that affects large enterprises. Microsoft has recently published a white paper (and some great info-graphics) on this now well-known Windows authentication vulnerability. If you thought that your large-scale enterprise domain was safe - think again. The Pass-the-Hash attack has been around for a long time, but poorly understood. Now, Microsoft is having to address a long-known, severe vulnerability in its authentication system.
This security advisory is a collection of registry entries that disables the RC4 protocol in the Transport Security Layer in the Microsoft .NET framework. Like the advisory 2871997, this security advisory note is intended to prevent man-in-the-middle attacks and to prevent plain text being retrieved from encrypted passwords.
Given the standard practice of deploying patches that are rated as critical by Microsoft first, I would add to that protocol a strong focus to act on these three advisory bulletins this month.