Last updated at Fri, 21 Jul 2017 16:27:19 GMT
Microsoft has released the patches and it is a relatively light month. Six issues in total, 2 Critical, 3 Important, 1 Moderate. OS administration teams will be busy, application administrators get the month off.
One of the critical issues is MS14-037 IE fix. After the 59 patched in MS14-035 we have a mere 24 this round, which is double or triple what I expected based on the recent trends. This patch is a cumulative roll up, meaning it encompasses previous patches and will supersede them. Of the 24 CVEs, 23 are privately disclosed or internally discovered Remote Code Execution (RCE) issues. The 24th (CVE-2014-2783) is a publically disclosed security feature bypass in which IE does not properly validate a certificate chain where wildcard values appear in the certificate. This would allow an attacker to potentially compromise certificate validation with a specifically crafted attack.
The other critical (MS14-038) affects Windows OSes from Vista to latest, excluding Server Core builds. This issue is in Windows Journal, so it's not installed by default in any Server OS, but would be pulled in if the user has installed the "desktop experience" or "ink and handwriting" services. These two, MS14-037 & MS14-038, are the top patching priorities.
MS14-039, MS14-040, & MS14-041 fix the issues disclosed in this year's pwn2own contest via the Zero Day Initiative's responsible disclosure process. They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI's embargo has been fulfilled, that exploit code may become publically available.
The odd one out this month is MS14-042 the "Moderate" Denial of Service in "Microsoft Service Bus for Windows Server". This affects the AMQP implementation which is part of the Microsoft Web Platform package and is not installed by default with any OS version. This vulnerability would allow an authenticated user to cause a DoS. Technically this a publically known issue since it was reported via an MSDN forum post. Any home user, and most enterprises can safely ignore this one, but if you have this component you should patch.
Adobe and Microsoft have coordinated to release a fix for a critical issue affecting Flash player (APSB14-17). Microsoft gets dragged into this because they distribute flash with Windows 8 & 8.1 and end up doing their own security advisory that they don't give an MSXX-XXX number to, but is just as important. APSB14-17 applies to pretty much every supported version (and probably some earlier versions) of Flash on Windows, Linux, & MacIntosh and has an incarnation in Adobe AIR on Android, and the AIR SDK on all of the above plus iOS. The issue covers 3 CVEs, one of which (CVE-2014-4671) relates to a publically disclosed issue where a valid SWF (flash) file composed only of alphanumeric characters can be used to accomplish a Cross Site Request Forgery (CSRF) that could allow disclosure of sensitive information.
Apparently this issue affected a number of Google services (including maps and YouTube) and Twitter, which have both recently patched, but other sites like eBay, Instagram and Tumblr were reported recently as still being vulnerable. This issue is definitely in the wild with public exploit code. Flash users should patch immediately.