Microsoft has announced the changes it will be rolling out next Tuesday, as another monthly Patch Tuesday rolls around. This time, we have two 'critical' bulletins on the way, and then three 'important' bulletins. The two critical changes are made up of some remote code executions that may require restarts, affecting Windows and Microsoft Security Software. We then have an elevation of privilege for Windows and the .NET framework, an information disclosure for Windows and a denial of Service bulletin for Windows.
Ross Barret, manager at security firm Rapid7, explained some of the patches:
"Microsoft continues the trend they started last month of keeping patch Tuesday relatively light. There are only five advisories this month - two critical, three important.
"The two critical advisories are unusual in that they don't touch older versions of Windows or Internet Explorer. The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT. The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010).
"Given a remote code execution in a perimeter service like Forefront, I'd have to say that this is the highest priority patching issue this month. The second is, not surprisingly, the critical in Windows 7 and later."
Ziv Mador, Director at Trustwave, said:
"The upcoming Microsoft monthly security update scheduled for February 11th will feature patches for Microsoft Windows, Microsoft Forefront Protection for Exchange Server and the .Net Framework. The two bulletins rated "Critical" affect Windows and Microsoft Forefront Protection 2010 for Exchange Server. Based on the nature of these vulnerabilities, these give an attacker remote code execution capabilities.
"Since the three "Important" Windows bulletins combined affect a widespread of Windows versions, it's likely that this security release will affect you. Only one bulletin will require a system restart. Unfortunately this is a Windows patch mitigating a denial-of-service vulnerability affecting all versions of Windows from XP to Windows 8.1. To keep a long story short, plan on grabbing a cup of coffee sometime next Tuesday while these systems restart after the patch install. Keep calm and carry on.
"Based on the advance notification from Microsoft, there will be no new bulletins for Internet Explorer. This will mark the second month in a row where no Internet Explorer patch will be released. Currently there is no evidence of any Internet Explorer zero-days being exploited in the wild, but this does not mean that Internet Explorer is necessarily vulnerability-free. Unfortunately, all software has flaws and requires administrators to continually update software to keep secure."
In addition to Microsoft, both Adobe and Mozilla released new software this week. Wolfgang Kandek, CTO at Qualys, said:
"Adobe addressed a 0-day in Adobe Flash with an out-of-band update (APSB14-04) . It fixes a vulnerability (CVE-2014-0497) that is being exploited in the wild. Flash version 12 and 11 are affected on both Windows and Mac OS X, and Flash version 11 is affected on the Linux platform. Users of Google Chrome and Microsoft Internet Explorer 10 and 11 have gotten their updates automatically through a browser update. Users of other browsers, for example, Safari on Mac OS X, Firefox or older versions of IE need to update Flash on the operating system itself. Adobe credits Kaspersky with the discovery of the problem, Kaspersky has posted a detailed technical analysis on their blog.
"We recommend installing this update as quickly as possible. Adobe Flash is widely installed and used in the majority of web pages to provide active content for videos and games. It is difficult to restrict its use, and users cannot be expected to present any obstacle to an attack that is embedded in a well-known, trusted web-page.
"Mozilla updated Firefox to v27, which is a very popular browser with about 23% marketshare, according to our statistics from our free browser security tool BrowserCheck. Mozilla addressed 13 vulnerabilities. Five of the addressed vulnerabilities are rated as "critical," which means that an attacker can use them to take control over the targeted machine. Attacks of this type usually come through a website that the attacker controls, either itself a victim of the attacker that counts on the site's normal visitors to fall prey to the attack, or specifically setup for the task and then using "Search Engine Poisoning" to attract visitors to the site. The vulnerability fixed in MFSA2014-08, one of the 5 critical ones, shows how this could work.
"In this patch, the image processing within Firefox is being fixed; to abuse the condition, an attacker would have to feed images to the browser with certain format violations to achieve a processing error and gain code execution in the browser."