Microsoft is entering softly into 2014 with a minimalist version of Patch Tuesday, which is likely to be a welcome reprieve. Windows shops can expect a busy re-tooling year ahead as Microsoft not only ends support—including security updates—for Windows XP, but also will restrict the use of MD5 in digital certificates and bring changes to Windows Authenticode verification that could render some programs untrusted if they don’t pass muster.
All of today’s bulletins were rated “Important” by Microsoft, but experts urge prioritization of MS14-002 which is a patch for a zero-day vulnerability in Windows XP and Windows Server 2003. The vulnerability was publicly disclosed in November and is being exploited in conjunction with an Adobe Reader vulnerability. That flaw was patched by Adobe in May.
Today’s patch repairs a privilege escalation bug in the ND Proxy Driver that manages Microsoft’s Telephony API. Microsoft had released a mitigation that would have rendered the API unusable.
The vulnerability was rated important because it could not be exploited remotely. An attacker would need to log in to a system with valid credentials and run a malicious application in order to exploit the vulnerability locally.
“This was typically exploited by an attacker sending your user a spear phishing email with a bad Adobe link. Once clicked, that attacker could then gain administrator access to the machine,” said Russ Ernst of Lumension. “Keeping your Adobe applications fully patched will mitigate this vulnerability, but it’s important to apply MS14-002 as a defense in depth.”
Microsoft also patched a remote code execution bug in Microsoft Word and Office Web applications that merits attention, experts said. MS14-001 patches three vulnerabilities that could allow an attacker to remotely run code on a compromised machine; the hacker would have to entice the victim to open an infected attachment. The update patches Microsoft Word 2003, 2007, 2010, 2013, and 2013RT, and Office services and Web apps supported on SharePoint Server 2010, 2013 and Microsoft Web Apps Server 2013.
“On their own these vulnerabilities might not be critical, but combined they can be much more serious,” said Ben Hayak, a researcher with Trustwave’s SpiderLabs. “If an attacker used a malicious Office document to execute code that takes advantage of the privilege elevation vulnerability, then a phishing email to an unsuspecting user would be all that’s necessary.”
Microsoft also addressed another privilege escalation bug in Windows with MS14-003. This bulletin patches one vulnerability in Widows Kernel-Mode Drivers that can be exploited only with local access and valid credentials. Windows 7 and Windows Server 2008 R2 are affected by this vulnerability, Microsoft said.
“The vulnerability occurs when the driver improperly uses window handle thread-owned objects,” said Marc Maiffret, CTO of BeyondTrust. “Attackers can exploit this vulnerability to gain the ability to execute arbitrary code in the context of the kernel. This is very similar to the vulnerability fixed by MS14-002, which also provides attackers kernel level privileges if properly exploited.”
The final bulletin, MS14-004, patches a denial-of-service flaw in Microsoft Dynamics AX. An attacker could exploit the vulnerability by sending malicious data to an AX Application Object Server instance, causing it to stop responding to client requests, Microsoft said.
“This is a server side vulnerability and note that the updated service will not automatically restart, so if you are applicable, it would be best practice to manually restart the impacted service after applying the update,” Lumension’s Ernst said.
Microsoft also re-released MS13-081, addressing a stability issue that caused the original update to fail or partially install on some systems with third-party USB drivers, Microsoft said.