As expected, Microsoft today pushed its largest batch of Patch Tuesday updates so far this year today – eight bulletins, two critical – addressing 13 issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework.
The first critical issue that involves IE (MS14-029) we’re learning about for the first time today. It stems from two privately reported memory corruption vulnerabilities that could allow an attacker to remotely execute code if they got a user to visit a rigged webpage. Researchers with Google’s Security Team have already spotted limited instances of one of the vulnerabilities (CVE-2014-1815) being targeted, which means this should probably be No. 1 on users’ patching agendas.
The batch of patches also includes a second critical security update for IE (MS14-021) that addresses a previously disclosed vulnerability in versions 6 through 11 of the browser. Microsoft released an out-of-band emergency patch for this issue on May 1 and threw a life raft to XP users in the process by making the patch available for users still running XP available via Automatic Update. Those who didn’t apply the out-of-band update will be happy to see it’s bundled in with this month’s other IE update, MS14-029.
As many experts have pointed out however, this is not a cumulative IE update. As Ross Barrett, Rapid7’s Senior Manager of Security Engineering said, this is something that “breaks with the recent trend of IE patching,” This means if users haven’t yet installed last month’s IE patch, MS14-018, it’s likely this year’s, MS14-029, could give them trouble.
The other critical update affects multiple vulnerabilities in Microsoft’s Sharepoint Server that could allow remote code execution if an authenticated attacker were to send specially crafted page content to a server. This basically means that if someone had the capability to upload on SharePoint – authenticated or unauthenticated, they could upload a heap of data that could lead to code execution, something that could raise the ire of an end user, depending on how frequently they use the program.
Microsoft pushed a flurry of other fixes today as well, six to be exact, that fix various important issues in Windows, Office and its .NET Framework.
Missing from the updates are patches for vulnerabilities dug up at March’s Pwn2Own hacking competition, including three IE vulnerabilities that bypassed sandboxes and compromised the underlying system. It’s expected now that those fixes will see the light of day in June.
The updates are the first issued by the company since it ended support for both Windows XP and Office 2003, meaning that users still running either of the dated systems will continue to be considered vulnerable until they update to Windows 7.
The updates will also be some of the last for those running Windows 8.1. Microsoft announced on its TechNet blog last month that it would stop providing security updates to those running older versions of 8.1. The company recently released a large 8.1 update and is encouraging users running the OS to download the most recent update if they want security patches.
In a blog entry yesterday the company pointed out that it has extended its requirement for consumer customers to update to 8.1 from today until June 10 but that after that date, like it promised, those who haven’t updated will not receive security updates.
Adobe also released two updates today, fixing critical issues in Reader and Acrobat XI (11.0.06), along with a surprise Flash issue.
The Reader and Acrobat updates affect a handful of issues, including memory corruption, use-after-free and double-free vulnerabilities. Strung together the wrong way, they could cause a crash and potentially let an attacker take control of an affected system. Two issues in particular are addressed here that VUPEN dug up to topple Reader XI at PWN2OWN. Chaouki Bekrar and company relied on both a heap overflow vulnerability and an input validation error that could lead to security bypass to accomplish their executions.
The Flash Player update involves version 18.104.22.168 of the software and earlier versions for Windows, Macintosh and Linux. The issues were not previously made clear in a security bulletin but address vulnerabilities discovered by Keen Team and other researchers that could result in arbitrary code execution and ultimately let an attacker take control of the affected system.
Adobe also released a minor security hotfix for Adobe Illustrator CS6 today, fixing a stack overflow vulnerability – something also marked critical by the company – that could lead to remote code execution.