Microsoft today issued two critical-, three important-, and one moderate-rated security bulletins in the July edition of its monthly Patch Tuesday release. The updates address 29 security vulnerabilities in the company’s Windows operating system, Internet Explorer browser, and server software.
The critically rated bulletins in this month’s release are a cumulative security update for Internet Explorer and a fix for a remote code execution issue in Windows Journal. The important rated bulletins resolve vulnerabilities in the on-screen keyboard, ancillary function driver, and DirectShow, each of which could be exploited for privilege escalation. The final, moderate-rated bulletin fixes a denial of service bug in the Microsoft service bus.
There was one publicly disclosed and 23 privately disclosed vulnerabilities in Internet Explorer. The most serious of these bugs could have enabled remote code execution if a user were to view a specially crafted webpage on Internet Explorer. Upon successful exploitation, the attacker would have the same user-rights as his or her victim, meaning that users with fewer rights enabled would be less impacted.
Craig Young, a security researcher at Tripwire, noted in an interview with Threatpost that this month’s extensive cumulative Internet Explorer update primarily addresses bugs that are more likely to be used after an attacker has gained low privileged code execution.
“This is not a good reason for security teams to relax this month though,” Young explained. “Microsoft expects all but one of the bulletins will be exploited within the next 30 days, so it’s important to deploy these updates as soon as possible.”
Regarding the size of this and Internet Explorer updates in recent months, Marc Maiffret of BeyondTrust said, “It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal for massive Internet Explorer updates every Patch Tuesday.”
The other critical bulletin resolves a privately reported vulnerability in Microsoft Windows, which could be exploited to allow remote code execution if a user opens a specially crafted Journal file. As always, the impact of such an attack would rely primarily on the level of rights the victim operates with.
“The critical vulnerability described in MS14-038 is a great example of how unused software can be abused by attackers,” Young explained. “In this case Windows Journal, which is installed by default but isn’t commonly used, can lead to arbitrary code execution.”
Qualys CTO Wolfgang Kandek described the three important-rated privilege escalation bugs to Threatpost:
MS14-039, Kandek said, is an update to the OnScreen Keyboard which allows the attacker to escape the IE sandbox. Any attack would be very visible as the onscreen keyboard would come up and certainly cause some consternation. MS14-040, he went on, updates the driver AFD.sys and fixes an escalation of privilege. MS14-041 is a fix to DirectShow, which addresses another IE sandbox escape.
The last and least critical update resolved a denial of service vulnerability in Microsoft Service Bus for Windows Server. It could be triggered if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.
The company explains that Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system, so an affected system would only be vulnerable if the software were downloaded, installed and configured.
“Windows Server administrators will be relieved that none of the holes being plugged by Microsoft this month can be used for remote code execution without user-interaction,” Young said.