Microsoft Patch Tuesday, June 2014

June's Microsoft Patch Tuesday contains seven bulletins, including two rated "Critical" and five rated "Important". One of the two "Critical" bulletins is for Internet Explorer and contains patches for a massive fifty-nine CVEs, almost all of which are marked with a critical severity. This includes a patch for the "CMarkup Use-After-Free RCE Vulnerability" in Internet Explorer 8 (CVE-2014-1770). TippingPoint Zero Day Initiative released this advisory on May 21 without a patch from Microsoft. It's very rare for a security vendor to release any advisory when no patch is available. TippingPoint publicly disclosed the advisory after Microsoft missed a 180-day deadline set by TippingPoint.

Approximately a quarter of Internet Explorer installations are still on version 8. This is likely due to the fact that it is the most current version available for the retired Windows XP platform. With a majority of IE 8 users still running Windows XP, this means that neither an IE upgrade nor a patch will be available to most users.

MS14-030 (KB2969259)
Important
Vulnerability in Remote Desktop Could Allow Tampering
CVE-2014-0296

This vulnerability affects systems that use Microsoft's Remote Desktop service. An attacker sitting on the same network as either the client or the server could create specially crafted traffic to tamper with an existing RDP session. Since the patch enhances RDP session encryption by implementing DTLS, the weakness appears to be in the existing encryption schemes.

Affects Windows 7, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2

MS14-031 (KB2962478)
Important
Vulnerabillity in TCP Protocol Could Allow Denial of Service
CVE-2014-1811

A vulnerability in Microsoft's implementation of the TCP/IP stack could allow an attacker to perform a Denial of Serivce attack.

Affects all supported editions of Microsoft Windows

MS14-032 (KB2969258)
Important
Vulnerability in Microsoft Lync Could Allow Information Disclosure
CVE-2014-1823

This vulnerability in Microsoft Lync allows for information disclosure via a specially crafted URL. An attacker can create a URL with a valid Lync meeting ID that is improperly sanitized by the Lync Server. It could allow an attacker to execute JavaScript in the victim's browser resulting in a Cross Site Scripting attack.

Affects all supported editions of Microsoft Lync Server 2010 and Microsoft Lync Server 2013

MS14-033 (KB2966061)
Important
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure
CVE-2014-1816

An attacker can create a malicious website that forces Internet Explorer to invoke Microsoft XML. A vulnerability in XML Core Services could then be exploited that would allow the attacker to gather personal information about the logged on victim.

Affects all supported Microsoft Windows clients and Windows servers

MS14-034 (KB2969261)
Important
Vulnerability in Microsoft Word Could Allow Remote Code Execution
CVE-2014-2778

This vulnerability in Word allows an attacker to create a malicious Word document that could result in remote code execution. The attacker would be able to execute, modify or delete files with the same permissions as the user.

Affects all supported editions of Microsoft Word 2007 and Microsoft Office Compatibility Pack

MS14-035 (KB2969262)
Critical
Cumulative Security Update for Internet Explorer
CVE-2014-0282, CVE-2014-1762, CVE-2014-1764, CVE-2014-1766, CVE-2014-1769, CVE-2014-1770, CVE-2014-1771, CVE-2014-1772, CVE-2014-1773, CVE-2014-1774, CVE-2014-1775, CVE-2014-1777, CVE-2014-1778, CVE-2014-1779, CVE-2014-1780, CVE-2014-1781, CVE-2014-1782, CVE-2014-1783, CVE-2014-1784, CVE-2014-1785, CVE-2014-1786, CVE-2014-1788, CVE-2014-1789, CVE-2014-1790, CVE-2014-1791, CVE-2014-1792, CVE-2014-1794, CVE-2014-1795, CVE-2014-1796, CVE-2014-1797, CVE-2014-1799, CVE-2014-1800, CVE-2014-1802, CVE-2014-1803, CVE-2014-1804, CVE-2014-1805, CVE-2014-2753, CVE-2014-2754, CVE-2014-2755, CVE-2014-2756, CVE-2014-2757, CVE-2014-2758, CVE-2014-2759, CVE-2014-2760, CVE-2014-2761, CVE-2014-2763, CVE-2014-2764, CVE-2014-2765, CVE-2014-2766,CVE-2014-2767, CVE-2014-2768, CVE-2014-2769, CVE-2014-2770, CVE-2014-2771, CVE-2014-2772, CVE-2014-2773

Did you catch all of those CVEs? This bulletin resolves 59 of them which is the largest bulletin so far this year. The majority of the updates address remote code execution vulnerabilities. One of them is the "CMarkup Use-After-Free RCE Vulnerability" mentioned earlier. Windows XP users will not be able to apply this patch or upgrade Internet Explorer to a non-vulnerable version. This should serve as a huge warning that they need to upgrade their operating system. For now, these users should stop using Internet Explorer as their web browser.

Affects Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11)

MS14-036 (KB2967487)
Critical
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution
CVE-2014-1817, CVE-2014-1818

This bulletin covers two vulnerabilities. The first is in the Unicode Script Processor also known as Uniscribe. The vulnerability is in the way that Windows applications use Uniscribe to process complex fonts like Hebrew and Arabic. The second vulnerability is in GDI+, which improperly validates and processes a malformed image file. Both of these vulnerabilities would allow an attacker to execute arbitrary code with the same user rights as the victim.

Affects all supported editions of Windows, Microsoft Live Meeting 2007, Microsoft Lync 2010, Microsoft Lync 2013, Microsoft Office 2003, Microsoft Office 2007, and Microsoft Office 2010

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.