Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Microsoft Patch Tuesday, May 2014

May's Microsoft Patch Tuesday contains eight bulletins, the most of any release so far this year. Despite an out-of-band patch for Internet Explorer two weeks ago, Windows XP users will not receive any patches this cycle. This leaves XP users exposed to more than half of these bulletins including a "Critical" vulnerability in Internet Explorer. This shouldn't be a surprise since Windows XP hit its end-of-life on April 8th. Despite the fact that nearly a third of all Windows workstations run XP, the operating system is nearly 13 years old. The deadline has been extended multiple times, including the recent Internet Explorer patch, and this day has been officially coming since 2007. There is a software fix available to most all users of Windows XP. It's called Windows 7.

One of the big problems with getting people to upgrade is that Windows XP seems to be working just fine. The old idiom applies here: "If it's not broke, don't fix it." Since Windows XP appears to be working fine for most users, the motivation to upgrade isn't there. Equally true is the statement, "If it doesn't appear to be broke, don't fix it." Windows XP is old and creaky in ways that most users don't notice. New security features like Drive Encryption, User Account Control, AppLocker and Trusted Boot are only available to modern operating systems like Windows 7 and 8.

By not providing patches to Windows XP this cycle, the OS is finally showing its cracks more publicly. This may just be the final push needed for users to upgrade. The fewer vulnerable operating systems that are on the Internet helps protect everybody.

There are two "Critical" and six "Important" bulletins in this release. The two "Critical" vulnerabilities affect installations of SharePoint Server and Internet Explorer. While both are serious, the Internet Explorer vulnerability will probably affect more users. Below is a summary of each bulletin.

 

MS14-022 (KB2952166)
Critical
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
CVE-2014-0251, CVE-2014-1754, CVE-2014-1813

The most severe of the three CVEs covered by this bulletin could allow remote code execution for a user that is already authenticated with a SharePoint server. The other two vulnerabilities include an XSS vulnerability and the ability for an authenticated user to execute commands under the limited W3WP service account.

This bulletin affects Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, Microsoft Office Web Apps 2010, Microsoft Office Web Apps Server 2013, Microsoft SharePoint Services 3.0, and Microsoft SharePoint Foundation 2010, Microsoft SharePoint Foundation 2013, Microsoft SharePoint Designer 2007, Microsoft SharePoint Designer 2010, and Microsoft SharePoint Designer 2013

 

MS14-029 (KB2962482)
Critical
Cumulative Security Update for Internet Explorer
CVE-2014-0310, CVE-2014-1815

Both of the vulnerabilities covered by this bulletin are memory corruption vulnerabilities that can allow an attacker to run arbitrary remote code. In order to exploit these vulnerabilities an attacker would need to lure their victim to a malicious or compromised website. Attacks have been seen in limited instances targeting CVE-2014-1815. This release also rolls in the fix for the IE zero day that was recently patched out of band in MS14-021 (CVE-2014-1776).

This bulletin affects all versions of Internet Explorer from 6 through 11.

 

MS14-023 (KB2961037)
Important
Vulnerability in Microsoft Office Could Allow Remote Code Execution
CVE-2014-1756, CVE-2014-1808

This bulletin addresses two vulnerabilities in the Microsoft Office Suite. The most severe of the two is CVE-2014-1756 which could allow an attacker execute arbitrary code, but only if the Chinese (Simplified) Language Pack Grammar Checker is installed. The second vulnerability could allow access to authentication tokens if a user opens a specially crafted Office document stored on malicious website.

This bulletin affects Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013

 

MS14-024 (KB2961033)
Important
Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass
CVE-2014-1809

This vulnerability would allow a malicious Office document to bypass ASLR memory protections. ASLR helps prevent malicious shell code inserted into system memory from being successful. This type of exploit could be combined with another vulnerability to raise the success rate of remote code execution.

This bulletin affects Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013

 

MS14-025 (KB2962486)
Important
Vulnerability in Active Directory Could Allow Elevation of Privilege
CVE-2014-1812

This vulnerability rests in the way Active Directory distributes passwords configured using Group Policy settings. An attacker that is already authenticated with a group may be able to obtain new local or domain administrator credentials and use them to elevate their privilege. This vulnerability has been observed exploited in the wild.

This bulletin affects Windows Vista, Windows 7, Windows 8, and Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2

 

MS14-026 (KB2958732)
Important
Vulnerability in .NET could allow Remote Code Execution
CVE-2014-1806

This bulletin represents one vulnerability in Microsoft .NET Framework. It would require a custom application that has been designed to use .NET Remoting, a feature of the framework that allows applications to share data over a network. In this case an unauthenticated attacker could send maliciously crafted data to the application that can result in remote code execution.

This bulletin affects all versions of Windows running:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1

 

MS14-027 (KB2962488)
Important
Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege
CVE-2014-1807

This bulletin covers a single vulnerability in how the Windows Shell handles file associations. The ShellExecute function could allow a locally logged in to execute arbitrary code in the context of the Local System account. Access in the context of Local System would give the attacker full local administrative rights.

This bulletin affects all supported releases of Windows.

 

MS14-028 (KB2962485)
Important
Vulnerability in iSCSI Could Allow Denial of Service
CVE-2014-0255, CVE-2014-0256

This bulletin covers two vulnerabilities in Windows systems with iSCSI enabled. iSCSI (Internet Small Computer Systems Interface) allows systems to access storage devices over the network. Both of these CVEs are Denial of Service vulnerabilities through improper handling of packets and sessions.

This bulletin affects all supported editions of Windows Server 2008 (except Itanium), Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2012, and Windows Server 2012 R2

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo