Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, October 2014

Today is the October Microsoft Patch Tuesday, and it addresses eight separate bulletins. Three bulletins are rated Critical and five are rated Important. Surprising no one, Internet Explorer is back with another Critical bulletin patching fourteen separate vulnerabilities. The spotlight of this release is MS14-060 (CVE-2014-4114). This 0-day vulnerability in the OLE package manager is being actively exploited in the wild in a campaign dubbed Sandworm. More details about it below.

The other vulnerabilities involve another bug in the Windows Kernel Mode Driver. The last fix for KMD back in August was pulled and re-released due to issues causing a blue screen on certain installations. Hopefully similar issues won't be seen this month. Another interesting vulnerability this month is in the Windows FAT32 driver. Although physical access is required to exploit the vulnerability, exploitation would result in arbitrary code execution with elevated privilege.

MS14-056 (KB2987107)
CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4140, CVE-2014-4141
Cumulative Security Update for Internet Explorer

This security update resolves fourteen privately reported vulnerabilities in Internet Explorer, the majority of which are memory corruption issues. The most severe of these vulnerabilities could allow remote code execution and another allows for the bypass of ASLR memory protection. An attacker could exploit these vulnerabilities by convincing their victim to browse to a specially crafted webpage using Internet Explorer.

This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients and servers.

MS14-057 (KB3000414)
CVE-2014-4073, CVE-2014-4121, CVE-2014-4122
Vulnerabilities in .NET Framework Could Allow Remote Code Execution

This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities rests in how the .NET framework parses internationalized resource identifiers (iriParsing). The incorrect parsing allows for memory corruption which an attacker could use for remote code execution. The iriParsing functionality is disabled by default in .NET 4.0 applications, while in .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled. The other two vulnerabilities allow for a bypass of ASLR memory protections and escalation of user privilege.

This security update is rated Critical for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows

MS14-058 (KB3000061)
CVE-2014-4113, CVE-2014-4148
Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution

The final Critical bulletin in this release patches two vulnerabilities in the Windows Kernel-Mode Driver. The first vulnerability allows for privilege escalation for a currently logged in user due to memory corruption. The second vulnerability allows for arbitrary remote code execution because of the mishandling of TrueType fonts. To exploit the RCE vulnerability an attacker would need the victim to simply view a document with a maliciously crafted TrueType font. This could be a webpage or any office document.

This security update is rated Critical for all supported releases of Microsoft Windows.

MS14-059 (KB2990942)
Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass

This bulletin patches a cross site scripting (XSS) vulnerability in ASP.NET MVC. An attacker could exploit this vulnerability by injecting their own malicious code into websites running ASP.NET MVC. The attacker would then need to convince a victim to access the site in order to have the malicious code executed. XSS vulnerabilities are often dismissed with a lowered severity, but you only need to look at the Browser Exploitation Framework (BeEF) (http://beefproject.com/) to see what attackers can do with XSS.

This security update is rated Important for ASP.NET MVC 2, ASP.NET MVC 3, ASP.NET MVC 4, ASP.NET MVC 5, and APS.NET MVC 5.1.

MS14-060 (KB3000869)
Vulnerability in OLE Could Allow Remote Code Execution

This vulnerability was discovered by iSIGHT Partners in conjunction with their ongoing investigation of a gang of Russian based criminals dubbed the Sandworm Team. The name comes from a multitude of references to Frank Herbert's amazing science fiction series, Dune. The group has been found targeting organizations in Russia, EU, and the USA since at least 2009. Targets included the North Atlantic Treaty Organization (NATO) and numerous Utility and Telecommunications companies. In this specific case the gang was caught targeting organizations with a spear-fishing attack. The malicious document involved, a PowerPoint slide deck, exploited a previously unknown vulnerability in OLE. The vulnerability allows the attacker to execute any command. In the case of the Sandworm campaign, the criminals were dropping at least two variants of the BlackEnergy malware. BlackEnergy is bot based malware with a plugin architecture that lets it adapt to a variety of uses like DDoS, credential theft, or spam distribution.

Discovered by iSIGHT and dubbed SandWorm. Used in Russian spear phishing campaign targeting NATO, European Union, Telecommunications and Energy sectors

This security update is rated Important for all supported releases of Microsoft Windows.

MS14-061 (KB3000434)
Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

This bulletin patches a memory corruption vulnerability in Microsoft Word. An attacker could trigger the execution of arbitrary code by convincing their victim to open a malicious Word document. Successful exploitation occurs with the same user rights as the current user, so the risk can be lessened by restricting which users can operate with administrative access.
This security update is rated Important for supported editions of Microsoft Word 2007, Microsoft Office 2007, Microsoft Word 2010, Microsoft Office 2010, Microsoft Office for Mac 2011, Microsoft Office Compatibility Pack, Word Automation Services, and Microsoft Office Web Apps Server 2010.

MS14-062 (KB2993254)
Vulnerability in Message Queuing Service Could Allow Elevation of Privilege

This bulletin patches a vulnerability in the Microsoft Windows Message Queuing service. By sending a specially crafted input/output control (IOCTL) request to the Message Queuing service and attacker can gain unrestricted access to a vulnerable system. The Message Queuing service is not installed on any affected operating system by default and can only be enabled by an administrative account.
This security update is rated Important for all supported editions of Windows Server 2003.

MS14-063 (KB2998579)
Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege

This bulletin patches a vulnerability in how Windows deals with FAT32 partitions. A vulnerability in the FASTFAT driver allows for arbitrary code execution with elevated privileges. When using the FASTFAT driver a specific function causes a buffer under-allocation. This under-allocation allows an attacker to write arbitrary code to memory locations normally reserved by Windows. Although an attacker would need to be physically access a vulnerable system to exploit this vulnerability, an attack could be pulled off with a simple FAT32 formatted USB stick.
This security update is rated Important for all supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008.

Related SpiderLabs Blogs