Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, May 2014

May's Microsoft Patch Tuesday contains eight bulletins, the most of any release so far this year. Despite an out-of-band patch for Internet Explorer two weeks ago, Windows XP users will not receive any patches this cycle. This leaves XP users exposed to more than half of these bulletins including a "Critical" vulnerability in Internet Explorer. This shouldn't be a surprise since Windows XP hit its end-of-life on April 8th. Despite the fact that nearly a third of all Windows workstations run XP, the operating system is nearly 13 years old. The deadline has been extended multiple times, including the recent Internet Explorer patch, and this day has been officially coming since 2007. There is a software fix available to most all users of Windows XP. It's called Windows 7.

One of the big problems with getting people to upgrade is that Windows XP seems to be working just fine. The old idiom applies here: "If it's not broke, don't fix it." Since Windows XP appears to be working fine for most users, the motivation to upgrade isn't there. Equally true is the statement, "If it doesn't appear to be broke, don't fix it." Windows XP is old and creaky in ways that most users don't notice. New security features like Drive Encryption, User Account Control, AppLocker and Trusted Boot are only available to modern operating systems like Windows 7 and 8.

By not providing patches to Windows XP this cycle, the OS is finally showing its cracks more publicly. This may just be the final push needed for users to upgrade. The fewer vulnerable operating systems that are on the Internet helps protect everybody.

There are two "Critical" and six "Important" bulletins in this release. The two "Critical" vulnerabilities affect installations of SharePoint Server and Internet Explorer. While both are serious, the Internet Explorer vulnerability will probably affect more users. Below is a summary of each bulletin.


MS14-022 (KB2952166)
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
CVE-2014-0251, CVE-2014-1754, CVE-2014-1813

The most severe of the three CVEs covered by this bulletin could allow remote code execution for a user that is already authenticated with a SharePoint server. The other two vulnerabilities include an XSS vulnerability and the ability for an authenticated user to execute commands under the limited W3WP service account.

This bulletin affects Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, Microsoft Office Web Apps 2010, Microsoft Office Web Apps Server 2013, Microsoft SharePoint Services 3.0, and Microsoft SharePoint Foundation 2010, Microsoft SharePoint Foundation 2013, Microsoft SharePoint Designer 2007, Microsoft SharePoint Designer 2010, and Microsoft SharePoint Designer 2013


MS14-029 (KB2962482)
Cumulative Security Update for Internet Explorer
CVE-2014-0310, CVE-2014-1815

Both of the vulnerabilities covered by this bulletin are memory corruption vulnerabilities that can allow an attacker to run arbitrary remote code. In order to exploit these vulnerabilities an attacker would need to lure their victim to a malicious or compromised website. Attacks have been seen in limited instances targeting CVE-2014-1815. This release also rolls in the fix for the IE zero day that was recently patched out of band in MS14-021 (CVE-2014-1776).

This bulletin affects all versions of Internet Explorer from 6 through 11.


MS14-023 (KB2961037)
Vulnerability in Microsoft Office Could Allow Remote Code Execution
CVE-2014-1756, CVE-2014-1808

This bulletin addresses two vulnerabilities in the Microsoft Office Suite. The most severe of the two is CVE-2014-1756 which could allow an attacker execute arbitrary code, but only if the Chinese (Simplified) Language Pack Grammar Checker is installed. The second vulnerability could allow access to authentication tokens if a user opens a specially crafted Office document stored on malicious website.

This bulletin affects Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013


MS14-024 (KB2961033)
Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass

This vulnerability would allow a malicious Office document to bypass ASLR memory protections. ASLR helps prevent malicious shell code inserted into system memory from being successful. This type of exploit could be combined with another vulnerability to raise the success rate of remote code execution.

This bulletin affects Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013


MS14-025 (KB2962486)
Vulnerability in Active Directory Could Allow Elevation of Privilege

This vulnerability rests in the way Active Directory distributes passwords configured using Group Policy settings. An attacker that is already authenticated with a group may be able to obtain new local or domain administrator credentials and use them to elevate their privilege. This vulnerability has been observed exploited in the wild.

This bulletin affects Windows Vista, Windows 7, Windows 8, and Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2


MS14-026 (KB2958732)
Vulnerability in .NET could allow Remote Code Execution

This bulletin represents one vulnerability in Microsoft .NET Framework. It would require a custom application that has been designed to use .NET Remoting, a feature of the framework that allows applications to share data over a network. In this case an unauthenticated attacker could send maliciously crafted data to the application that can result in remote code execution.

This bulletin affects all versions of Windows running:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1


MS14-027 (KB2962488)
Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege

This bulletin covers a single vulnerability in how the Windows Shell handles file associations. The ShellExecute function could allow a locally logged in to execute arbitrary code in the context of the Local System account. Access in the context of Local System would give the attacker full local administrative rights.

This bulletin affects all supported releases of Windows.


MS14-028 (KB2962485)
Vulnerability in iSCSI Could Allow Denial of Service
CVE-2014-0255, CVE-2014-0256

This bulletin covers two vulnerabilities in Windows systems with iSCSI enabled. iSCSI (Internet Small Computer Systems Interface) allows systems to access storage devices over the network. Both of these CVEs are Denial of Service vulnerabilities through improper handling of packets and sessions.

This bulletin affects all supported editions of Windows Server 2008 (except Itanium), Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2012, and Windows Server 2012 R2

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More