May's Microsoft Patch Tuesday contains eight bulletins, the most of any release so far this year. Despite an out-of-band patch for Internet Explorer two weeks ago, Windows XP users will not receive any patches this cycle. This leaves XP users exposed to more than half of these bulletins including a "Critical" vulnerability in Internet Explorer. This shouldn't be a surprise since Windows XP hit its end-of-life on April 8th. Despite the fact that nearly a third of all Windows workstations run XP, the operating system is nearly 13 years old. The deadline has been extended multiple times, including the recent Internet Explorer patch, and this day has been officially coming since 2007. There is a software fix available to most all users of Windows XP. It's called Windows 7.
One of the big problems with getting people to upgrade is that Windows XP seems to be working just fine. The old idiom applies here: "If it's not broke, don't fix it." Since Windows XP appears to be working fine for most users, the motivation to upgrade isn't there. Equally true is the statement, "If it doesn't appear to be broke, don't fix it." Windows XP is old and creaky in ways that most users don't notice. New security features like Drive Encryption, User Account Control, AppLocker and Trusted Boot are only available to modern operating systems like Windows 7 and 8.
By not providing patches to Windows XP this cycle, the OS is finally showing its cracks more publicly. This may just be the final push needed for users to upgrade. The fewer vulnerable operating systems that are on the Internet helps protect everybody.
There are two "Critical" and six "Important" bulletins in this release. The two "Critical" vulnerabilities affect installations of SharePoint Server and Internet Explorer. While both are serious, the Internet Explorer vulnerability will probably affect more users. Below is a summary of each bulletin.
MS14-022 (KB2952166)
Critical
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
CVE-2014-0251, CVE-2014-1754, CVE-2014-1813
The most severe of the three CVEs covered by this bulletin could allow remote code execution for a user that is already authenticated with a SharePoint server. The other two vulnerabilities include an XSS vulnerability and the ability for an authenticated user to execute commands under the limited W3WP service account.
This bulletin affects Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, Microsoft Office Web Apps 2010, Microsoft Office Web Apps Server 2013, Microsoft SharePoint Services 3.0, and Microsoft SharePoint Foundation 2010, Microsoft SharePoint Foundation 2013, Microsoft SharePoint Designer 2007, Microsoft SharePoint Designer 2010, and Microsoft SharePoint Designer 2013
MS14-029 (KB2962482)
Critical
Cumulative Security Update for Internet Explorer
CVE-2014-0310, CVE-2014-1815
Both of the vulnerabilities covered by this bulletin are memory corruption vulnerabilities that can allow an attacker to run arbitrary remote code. In order to exploit these vulnerabilities an attacker would need to lure their victim to a malicious or compromised website. Attacks have been seen in limited instances targeting CVE-2014-1815. This release also rolls in the fix for the IE zero day that was recently patched out of band in MS14-021 (CVE-2014-1776).
This bulletin affects all versions of Internet Explorer from 6 through 11.
MS14-023 (KB2961037)
Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution
CVE-2014-1756, CVE-2014-1808
This bulletin addresses two vulnerabilities in the Microsoft Office Suite. The most severe of the two is CVE-2014-1756 which could allow an attacker execute arbitrary code, but only if the Chinese (Simplified) Language Pack Grammar Checker is installed. The second vulnerability could allow access to authentication tokens if a user opens a specially crafted Office document stored on malicious website.
This bulletin affects Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013
MS14-024 (KB2961033)
Important
Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass
CVE-2014-1809
This vulnerability would allow a malicious Office document to bypass ASLR memory protections. ASLR helps prevent malicious shell code inserted into system memory from being successful. This type of exploit could be combined with another vulnerability to raise the success rate of remote code execution.
This bulletin affects Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013
MS14-025 (KB2962486)
Important
Vulnerability in Active Directory Could Allow Elevation of Privilege
CVE-2014-1812
This vulnerability rests in the way Active Directory distributes passwords configured using Group Policy settings. An attacker that is already authenticated with a group may be able to obtain new local or domain administrator credentials and use them to elevate their privilege. This vulnerability has been observed exploited in the wild.
This bulletin affects Windows Vista, Windows 7, Windows 8, and Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2
MS14-026 (KB2958732)
Important
Vulnerability in .NET could allow Remote Code Execution
CVE-2014-1806
This bulletin represents one vulnerability in Microsoft .NET Framework. It would require a custom application that has been designed to use .NET Remoting, a feature of the framework that allows applications to share data over a network. In this case an unauthenticated attacker could send maliciously crafted data to the application that can result in remote code execution.
This bulletin affects all versions of Windows running:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
MS14-027 (KB2962488)
Important
Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege
CVE-2014-1807
This bulletin covers a single vulnerability in how the Windows Shell handles file associations. The ShellExecute function could allow a locally logged in to execute arbitrary code in the context of the Local System account. Access in the context of Local System would give the attacker full local administrative rights.
This bulletin affects all supported releases of Windows.
MS14-028 (KB2962485)
Important
Vulnerability in iSCSI Could Allow Denial of Service
CVE-2014-0255, CVE-2014-0256
This bulletin covers two vulnerabilities in Windows systems with iSCSI enabled. iSCSI (Internet Small Computer Systems Interface) allows systems to access storage devices over the network. Both of these CVEs are Denial of Service vulnerabilities through improper handling of packets and sessions.
This bulletin affects all supported editions of Windows Server 2008 (except Itanium), Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2012, and Windows Server 2012 R2