As expected, Microsoft delivered a patch today for a zero-day vulnerability in Internet Explorer 8 that was disclosed by HP’s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI.
The IE8 patch, MS14-035, is included in a cumulative Internet Explorer rollup that patches 59 flaws in the browser. Most of them are remote-code execution bugs rolling all the way back to IE 6 running on Windows Server 2003 SP2.
The zero day affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.
“Although no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,” said Craig Young, a security researcher with Tripwire.
Seven bulletins were released today, one other rated critical, and five rated important.
Experts are urging IT administrators to take a close look at a bulletin for Microsoft Word, MS14-034, which while rated important by Microsoft, should be the next highest patching priority behind IE.
Affecting Microsoft Word 2007, users could be exposed to remote code execution exploits if a malicious Word document is opened on a vulnerable computer.
“Microsoft rates it only ‘important’ because user interaction is required—one has to open a Word file—but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files,” said Qualys CTO Wolfgang Kandek. “Who wouldn’t open a document that brings new information about the company’s retirement plan? The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.”
The second critical bulletin, MS14-036, patches remote code execution bugs in Microsoft graphics in Office and Lync that could be exploited by users visiting malicious webpages or opening a malicious Office file.
“Graphics parsing requires complex logic and has frequently been associated with attack vectors,” said Kandek. “It affects Windows, Office and the Lync IM client because they all bring their own copy.”
This month bring 2014’s total number of bulletins issued by Microsoft to 36, well below last year’s pace of 46 through June.
“We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL,” Kandek said. “Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.”
The remaining bulletins are rated important and include a pair of information disclosure bugs, one denial of service flaw and a tampering vulnerability.
- MS14-033 addresses an information disclosure vulnerability in Microsoft XML Core Serivces; an exploit on a website designed to invoke XML Core Services through IE could leak data to an attacker.
- MS14-032 also patches an information disclosure bug in Microsoft Lync Server. A user tricked into joining a Lync meeting by clicking on a malicious meeting URL could be exploited.
- MS14-031 fixes a denial-of-service bug in TCP. An attacker sending a malicious sequence of packets to the target system could cause it to crash.
- MS14-030 patches a vulnerability in Remote Desktop that could allow tampering, Microsoft said. If an attacker has man in the middle access to the same network segment as the targeted system during an RDP session and sends malicious RDP packets, they could exploit the vulnerability.
Adobe Patches Flash Player
Adobe released a new version of Flash Player that addresses a critical vulnerability in the software.
Flash 22.214.171.124 and earlier versions for Windows and Macintosh and Adobe Flash Player 126.96.36.1999 and earlier versions for Linux are affected.
Adobe said there are no active exploits against these vulnerabilities.