Microsoft fixes 37 vulnerabilities
Microsoft clearly wants everyone to shake off the dog days of summer and pay attention to patching. This month’s advance notice contains nine advisories spanning a range of MSFT products.
We have the ubiquitous Internet Explorer all supported versions patch (MS14-051), with the same likely caveat that this would apply to Windows XP too, if Microsoft still supported it. This patch addresses the sole vulnerability to be actively exploited in the wild from in this month’s crop of issues, CVE-2014-2817 and the sole issue which is known to be publicly disclosed, but not known to be under active exploitation, CVE-2014-2819. Both of which are elevation of privilege issues.
MS14-043 is also a critical and remote code execution issue. It affects only the professional/ultimate/enterprise editions Windows 7 and 8/8.1 and the “Media Center TV Pack” for Vista. Fortunately, or not, depending on your point of view, this is not a true remote, but rather yet another attack where a user must be coerced into opening a malicious file.
Also of note, MS SQL Server, all supported versions are vulnerable to an issue which is a Denial of Service on most platforms, but is Important Elevation of Privilege issue on Server 2014 and 2012 x64, this is probably not critical because it will require some degree of authentication to exploit, but given the potential for that to happen in any number of circumstances this will no doubt be an important issue to administrators to address.
Beyond those we have a mixed bag of 3 other EOPs, a Remote Code Execution and two security bypass issues, all labelled Important. Windows, Office, Sharepoint and .NET are all touched by these fixes. Security and IT teams will be busy scrambling to test and apply these fixes.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.