Microsoft released eight security bulletins (MS14-022 – MS14-029) on Tuesday, May 13, 2014. Also announced was a number of security advisories which will be covered in this blog post. Affected software includes SharePoint, Office, Internet Explorer, Remote Server Administration Tools, .NET Framework, Windows Shell handler, iSCSI and Adobe Flash. Microsoft has placed them into three deployment priorities with MS14-029, MS14-024, and MS14-025 being in Deployment Priority 1; MS14-022, MS14-023, and MS14-027 being in Deployment Priority 2; MS14-026, and MS14-028 being in Deployment Priority 3. MS14-029 and MS14022 are both listed as Critical with the remaining bulletins being listed as Important. All of them are listed with an Exploit Index of 1, except for MS14-024 and MS14-028. Microsoft recommends that all of these security patches be applied if at all possible.
The following is further information about each security bulletin.
MS14-022: Vulnerabilities in Microsoft SharePoint Server could allow Remote code Execution (2952166)
CVE-2014-0251 and CVE-2014-1813 have a severity of Critical and the impact is Remote Code Execution. CVE-2014-1754 is categorized as Important with the impact of Elevation of Privilege. All supported editions of SharePoint Server, Office Web Apps Server, SharePoint Services 3.0, SharePoint Foundation 2010, SharePoint Foundation 2013, and SharePoint Designer are affected by this vulnerability.
For the exploit to be used the attacker must be able to authenticate on the target SharePoint Server, and Microsoft recommends that customers apply all updates offered by the software installed on the system.
MS14-023: Vulnerabilities in Microsoft Office could allow Remote Code Execution (2961037)
CVE-2014-1756 and CVE2014-1808 both have a severity of Important with 1756 allowing Remote Code Execution and 1808 being Information Disclosure. All supported version of Microsoft Office are affected.
An attacker can convince a user to open an office related file in the same directory as a DLL file that was created by them to run malicious code against the users computer. A mitigating factor on this exploit is that only systems with the Grammar checker for Chinese (Simplified) feature enabled are affected. CVE-2014-1756 is related to Security Advisory 2269637.
MS14-024: Vulnerability in a Microsoft Common Control could allow security feature bypass (2961033)
CVE-2014-1809 is listed as a severity of Important with a impact of Security Feature Bypass. This affects all supported versions of Microsoft Office. A successful exploit could allow the attacker to bypass the ASLR security feature. The bypass itself does not allow arbitrary code execution however. This vulnerability can not be used automatically through email. While this vulnerability does not allow for code execution it can make other vulnerabilities more reliable.
MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege (2962486)
CVE-2014-1812 is listed as a severity of Important and has an impact of Elevated Privileges. All versions of Remote Server Administration tools installed on Windows Vista and newer are affected. The attacker would need to gain domain access. If group policy is then used to perform certain tasks such as mapping a network drive the attacker could retrieve and decrypt the password stored in group-policy preferences.
MS14-026: Vulnerability in .NET Framework could allow elevation of privilege (2958732)
CVE-2014-1806 is listed as a severity of Important and has an impact of Elevated Privileges. All supported editions of Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, and Microsoft .NET Framework 4.5.1 are affected. Only systems that are using an affected version of .NET framework that is also using .NET remoting can be exploited. As .NET remoting is not widely used anymore most systems should be safe to begin with from this exploit.
MS14-027: Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)
CVE-2014-1807 is listed as a severity of Important and has an impact of Elevated Privileges. All supported versions of Microsoft Windows are affected by this exploit. An attacker would require valid logon credentials to be able to log on locally to exploit this vulnerability. Once this is achieved however they could run an application that could grant them a more elevated level of privilege than the current account.
MS14-028: Vulnerabilities in iSCSI Could Allow Denial of Service (2962485)
CVE-2014-0255, and CVE-2014-0256 are both listed as a severity of Important and has an impact of Denial of Service. Supported editions of Windows Storage Server 2008 (except Itanium), Windows Server 2008 R2 (except Itanium), Windows Server 2012, and Windows Server 2012 R2 are affected. Microsoft said Windows 8 was not listed here as the fix would have ended up breaking the majority of applications, so they suggest using the provided workarounds for Windows 8 systems.
- Limit the attack surface from untrusted networks by placing iSCSI on its own isolated network, separate from any network on which internet traffic flows.
- Configure your firewall to restrict access to TCP port 3260 to authorized iSCSI client IP addresses.
MS14-029: Security Update for Internet Explorer (2962482)
CVE-2014-0310 and CVE-2014-1815 both have a severity of critical with an impact of Remote Code Execution. IE7 – IE11 on all supported versions of Windows Client and IE6 – IE11 on all supported versions of Windows Server are affected. The reason on the client side that it is starting with IE7 is that IE6 can only be installed on Windows XP, which is no longer supported. So this fix will not be applied if you are still using Windows XP.
Microsoft has also issued a number of security advisories.
- Microsoft Security Advisory 2960358:
Update for Disabling RC4 in .NET Framework TLS
- Microsoft Security Advisory 2962824:
Update Rollup of Revoked Non-compliant UEFI Modules
- Microsoft Security Advisory 2871997:
Update to Improve Credentials Protection and Management
- Microsoft Security Advisory 2755801:
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
If you are still holding onto Windows XP, now would be a good time to move off the platform. In time Windows XP will show more and more security cracks and flaws which will not be resolved due to it being end of life. Staying on the platform will only expose you to unnecessary security risks.
Security update source information can be found on Microsoft’s website.