For this August patch Tuesday, Microsoft has released nine updates, with two rated as critical and the remaining seven rated as important. The number of updates for this month is about average with a lowering trend from the high of 15 updates from Microsoft in 2010 to an average of nine or ten for the past three years. In addition, we see a change in the way that Microsoft views its update strategy.
MS14-51 -- Critical
The first critical update relates to Microsoft Internet Explorer (IE) and deals with twenty-five publicly reported vulnerabilities and one publicly reported security issue. The most severe of these reported security vulnerabilities could lead to a remote code execution scenario when a user visits a specially crafted web page. This update affects all versions of Microsoft IE including versions 6, 7, 8, 9, 10 and 11. All 32 and 64-bit platforms are affected as well as the Microsoft RT platform. This update follows on the heels of numerous privately reported security vulnerabilities over the past few months, and falls in line with an ongoing internal code cleanup project that I believe Microsoft is working through. As I mentioned in my previous post on Microsoft Patch Tuesday, I can see this process continuing for the next few months, with multiple privately reported security vulnerabilities addressed in subsequent IE security updates. As with all Microsoft IE updates, Server 2008 and 2012 Core systems are not affected, as they do not include Microsoft IE. It should also be noted that Microsoft believes that none of the privately disclosed vulnerabilities have been exploited, while one of the publicly disclosed issues has now been verified as exploited. Following my “coding hygiene” hypothesis, all of the distribution files for Microsoft IE have been updated and included in the patch manifest for this security update.
MS14-043 --Critical
The second update from Microsoft for this August patch Tuesday that has been rated as critical relates to a Windows Media Center security vulnerability, which can lead to a remote code execution scenario when a user attempts to open a specially crafted Microsoft Office file. This single privately reported vulnerability relates to how Windows Media Center handles memory with COM requests. After examining the patch manifest for this update and noting that only a single DLL file (MCPLAYER.DLL) is updated, it appears that although this issue is rated as critical by Microsoft, it will most likely not rate as a high priority deployment for most enterprises and should have a minimal testing profile.
MS14-044 -- Important
The first of seven updates from Microsoft rated as important relates to two privately reported security vulnerabilities that may lead to an elevation of privilege vulnerability in Microsoft SQL Server. This update addresses how SQL Master Data Services (MDS) encodes output and how Microsoft SQL Server handles T-SQL queries. Crucially, this vulnerability relates to a cross-site scripting vulnerability in Internet Explorer where a user visiting a specially crafted web page in IE could inject a client-side script into the user instance of IE, which could then result in the disclosure of information or content spoofing from that instance of SQL Server. Given that most administrators reduce their exposures to the web on their SQL server platforms, Microsoft recommends that the "Enable XSS filter” option is enabled in the standard IE configuration. In addition, I would recommend employing the practices included in the Microsoft Enhanced Mitigation Experience toolkit to reduce your SQL Server exposure to Internet based security threats. Given that most SQL servers in the enterprise will generally be excluded from a standard patch deployment, Microsoft has provided two ways to obtain this update. The first is through the GDR (General Distribution Release) update process and the second is the QFE (Quick Fix Engineering) update model. Following Microsoft's introduction of the SQL Server Incremental Servicing Model (ISM), GDR releases relate to issues that are important enough to install on every instance of that version of SQL Server and QFE updates are used when the threat or vulnerability is not judged severe enough to warrant a GDR update. Microsoft has provided a good article on the differences between GDR and QFE updates for Microsoft SQL Server here:
MS14-045 -- Important
The next update from Microsoft rated as important for this August patch Tuesday addresses three privately reported vulnerabilities in Windows Kernel Mode drivers, which could lead to elevation of privilege scenarios. This patch addresses memory-handling issues in how Windows Kernel Mode drivers manage thread level owned objects in memory. Importantly, this patch affects all versions of Windows (both desktop and server platforms) and though only rated as important by Microsoft will definitely require a reboot of all your systems. For users of Windows 8.1, Windows RT 8.1 and Server 2012, you may not be automatically offered this update unless you have installed the previous update associated with Microsoft KB article 2919355. The patch manifest for MS14-045 updates both Gdi32.dll and the Win32k.sys files. The Windows graphics display interface (home of Gdi32.dll) is regularly updated by Microsoft but we have seen many episodes in the past where updates to the kernel driver Win32k.sys have caused difficult-to-debug “Blue Screen of Death” (BSOD) stop errors. I would test this update on all key and line of business servers before general deployment.
MS14-046 -- Important
The next important update from Microsoft for this August Patch Tuesday relates to a single privately reported vulnerability in the Microsoft .NET framework that may lead to the bypass of the Microsoft Address Space Layout Randomization (ASLR) security feature when a user visits a specially crafted web page. In addition, this vulnerability could be used in conjunction with another vulnerability resulting in a remote code execution scenario. This is another case where Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will completely mitigate this kind of security vulnerability. Normally, Microsoft releases a single support page that details the patch manifest (list of files and registry entries changed or added in the patch) in a simple list broken down by platform or operating system. For this update, due to the number and complexity of the files included in the update, a link to a CSV file has been provided. With over 6900 file related entries, I am sure that this update will require some testing before general deployment.
MS14-047 -- Important
The fourth update rated as important by Microsoft is MS14-047, which relates to a security vulnerability that also takes of advantage of an ASLR security feature bypass vulnerability in the Local Remote Procedure Call (LRPC) feature. Unfortunately, the current version of LRPC handles some unexpected message data poorly and does not free memory from malformed messages, resulting in a potential remote code execution scenario. This update should be included in your general testing regime with the remaining updates rated as important by Microsoft.
MS14-048 -- Important
The fifth important update for this patch Tuesday relates to a remote code execution scenario in Microsoft OneNote when a user opens a specially crafted file. This is a straightforward update that includes a change to the primary OneNote executable and a few support files. This update should be included in your general patch deployment program.
MS14-049 -- Important
This patch rated as important relates to the Microsoft Installer technology and could lead to an elevation of privilege scenario. Microsoft’s Windows Installer technology is now one of the key installation and deployment methods for Microsoft and most other third-party software. First released with Office 2000, Microsoft MSI Installer quickly became the standard for application installations. Though a little complex (it uses a database for managing files and registry settings) this technology has generated its own industry (application packaging) and continues to define how applications are installed, configured, updated and removed from desktop machines and servers alike. I believe that the last time this Windows feature was updated through a patch update was four years ago with MS10-100. If un-patched, this MSI Installer vulnerability could lead to full administrative control over the target machine when in the process of repairing a specially crafted application. I would run a significant number of applications through the full Installer cycle (install, configure, update/patch, repair, uninstall) and check the resultant log files before deploying this update.
MS14-50 -- Important
The final patch rated as important for this August Patch Tuesday relates to a single privately reported vulnerability in Microsoft SharePoint that could lead to an elevation of privilege scenario. The update MS14-050 addresses this security issue through better handling of applications that integrate with SharePoint through custom actions. This update only affects SharePoint Server 2013 (including Service Pack 1) but does include a complete refresh of all of the files in the SharePoint Server 2013 installation. This update is probably worth a quick review in your “pre-release” or development SharePoint Server cluster before general deployment.
To find out more and get a peek at the people behind the scenes at Microsoft you can tune into the August Security Bulletin webcast, scheduled for Wednesday August 13, 2014 at 11 am PDT or if you need to consider third party applications like Adobe Reader updates, you can tune into the Shavlik Patch Tuesday webinar.
Probably the biggest update for this August patch Tuesday is the way that Microsoft is now viewing updates and the update process. Instead of just updating applications, or patching security vulnerabilities in the OS, Microsoft is now adding features and functionality to the monthly update process. Following Brandon LeBlanc’s blog posting on Windows 8.1 and Windows Server 2012 R2 we are seeing functionality updates that include an update to how the Windows 8.1x touchpad functions, changes to the Miracast Wi-Fi API drivers, and it looks like SharePoint is trying to minimize the number of login prompts when accessing federated sites. This is all good stuff, but I am not sure about mixing critical updates with “nice to have” feature updates. The testing profile is already significant. Just looking at this month, your IT team is going to have to test key components of your desktop and server platform, test the primary application installation mechanism and then manage the potential ramifications of a change to the software that is (for most enterprises) the gateway to the Internet. Is that enough for August?
