Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, March 2014

March's Patch Tuesday includes five bulletins, two rated "Critical" and three rated "Important". The first of the two "Critical" bulletins is MS14-012. This patch fixes many memory corruption vulnerabilities including a zeroday vulnerability in Internet Explorer being exploited in the wild.

Three other patches affect the Windows operating systems and probably represent the last patches we will see for the Windows XP platforms. Official support for Windows XP as well as Office 2003 is ending on April 8th and we recommend that users upgrade immediately. An update for Silverlight also marks the rare occasion where Patch Tuesday affects the Mac OS X platform.

MS14-012 (KB2925418)
Vulnerabilities in Internet Explorer
CVE-2014-0298, CVE-2014-0299, CVE-2014-0302, CVE-2014-0303, CVE-2014-0304, CVE-2014-0305, CVE-2014-0306, CVE-2014-0307, CVE-2014-0308, CVE-2014-0309, CVE-2014-0311, CVE-2014-0312, CVE-2014-0313, CVE-2014-0314, CVE-2014-0321, CVE-2014-0322, CVE-2014-0324

This bulletin covers 18 critical CVEs in Internet Explorer. All of them are memory corruption vulnerabilities. Researchers discovered one of them, CVE-2014-0322, as a part of an in-the-wild exploit targeting the vulnerability in Internet Explorer 10. Trustwave SpiderLabs' Rami Kogan wrote a technical breakdown of the vulnerability and how it is being exploited. You can read his technical breakdown here: http://blog.spiderlabs.com/2014/02/internet-explorer-zero-day-cve-2014-0322.html. CVE-2014-0324 has been exploited in-the-wild targeting installations of Internet Explorer 8.

This security update affects all versions of Internet Explorer 6 through 11.

MS14-013 (KB2929961)
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution

This vulnerability in Microsoft DirectShow could allow a specially crafted JPEG image to remotely execute arbitrary code. An attacker could host a malicious image on a website or in a document. Code will be executed as DirectShow parses the image and will occur using the same user rights as the current user.

This security update affects Windows XP, Vista, 7, 8, 8.1, RT as well as Windows Server 2003, 2008, 2012

MS14-014 (KB2932677)
Vulnerability in Silverlight Could Allow Security Feature Bypass

Silverlight is Microsoft's answer to Adobe's Flash technology in that it provides rich applications and content streaming over the Internet. The vulnerability allows an attacker to bypass memory security controls DEP (Data Execution Prevention) and Address Space Layout Randomization (ASLR). While the vulnerability alone doesn't allow for remote code execution, it could be combined with a separate remote code execution vulnerability in order to raise the success rate of an exploit. Since Silverlight is a cross-platform product, both Mac and Windows platforms will need to apply this patch. Users can verify which version they have installed by visiting: http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

This security update affects all versions of Silverlight prior to version 5.1.30214.0 on Mac and all supported releases of Microsoft Windows.

MS14-015 (KB2930275)
Vulnerabilities in Windows Kernel Mode Driver Could Allow Elevation of Privilege
CVE-2014-0300, CVE-2014-0323

This bulletin covers two CVEs that affect the Windows Kernel Mode Driver, Win32k.sys. CVE-2014-0300 is a privilege elevation vulnerability. If an attacker has a valid logged-in session they can execute a malicious application that will give them full administrative rights to the system. CVE-2014-0323 can allow improper disclosure of objects in memory.

This security update affects Windows XP, Vista, 7, 8, 8.1, RT as well as Windows Server 2003, 2008, 2012

MS14-016 (KB2934418)
Vulnerability in Microsoft Remote Protocol Could Allow Security Feature Bypass

This vulnerability exists in the Security Account Manager Remote (SAMR) protocol and allows an attacker to cause Windows to incorrectly validate user lockout states.

An attacker would exploit this vulnerability in conjunction with a brute force attack. By preventing a correct check on an account lockout state the attacker could try as many passwords as they like in order to breach a user's credentials.

This security update affects Windows XP and Vista as well as Windows Server 2003, 2008, 2012

Related SpiderLabs Blogs