By Jennifer LeClaire / CIO Today. Updated September 10, 2014.
IT admins are breathing a collective sigh of relief this month. That’s because Microsoft only released four security bulletins. One, a cumulative patch for Internet Explorer, is rated critical and three are rated important. The bulletins fix 42 unique common vulnerabilities and exposures (CVEs) in Microsoft Windows, IE, Lync and .NET Framework.
Microsoft also announced plans to revise three security advisories. Redmond will include updates to Adobe Flash Player in Internet Explorer, enhance credentials protections and offer additional protections for ASP.Net.
“The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs,” said Dustin Childs, group manager for response communications at Microsoft. “In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with [this] update.”
Your Second Top Priority
We caught up with Russ Ernst, director, product management at security firm Lumension, to get his take on September’s Patch Tuesday. He told us September delivers a light patch load from Microsoft and agrees that the IE update is top priority because the bad guys are using it to target vulnerable systems and it has been used in combination with other vulnerabilities to bypass ASLR (address space layout randomization).
“Second on your list of priorities should be MS14-054. This is an elevation of privilege vulnerability for one privately disclosed CVE in Task Scheduler,” Ernst said. “It’s rated important and Microsoft lists its deployment priority as 2.”
Moving on, MS14-053 is a vulnerability in the .NET framework in Windows Server 2003, 2008 and 2012 as well as Windows Vista, 7, 8 and 8.1. Ernst said this privately disclosed CVE is an unauthenticated resource exhaustion. If you have adequate DDoS protection, he said this would also prevent the attack. Last but not least is MS14-055, which Ernst explained is both denial of service and information disclosure vulnerabilities in Microsoft Lync, 2010 and 2013.
Chef’s Selection of the Day
We also turned to Tyler Reguly, manager of security research at security firm Tripwire, for his thoughts on this Patch Tuesday. He told us denial of service appears to be the chef's selection of the day, with 50 percent of the bulletins resolving remote denial of service vulnerabilities.
“If you are running ASP.NET or send Lync meeting requests to third parties, then these updates are particularly important for your organization,” he said. “In some cases, they may even be considered critical; denial of service is not something to be taken lightly.”
Given how few patches enterprises have to install in their Microsoft environments, Reguly said this might be a good time to do a little housekeeping. He suggested taking the extra cycles that would normally go into testing and applying patches and track down all those old versions of Java on your system. “A lot of people are unaware that they exist, so do a little research while these patches install,” he said. “You might be surprised.”
Craig Young, security researcher at Tripwire, told us even though it’s a slow month for Microsoft patches, there are still 36 code execution bugs as well as an “in-the-wild” info disclosure being addressed in IE.
“This patch (MS14-052) is Microsoft’s attempt to limit the capability of exploit kits that have been identified as using an information disclosure technique to determine if particular security software were installed,” Young said.
“The flaw allows a malicious Web site to determine if a software package is installed by querying the availability of a DLL used by that software," Young added. "Information regarding active security products on a target is very useful for an attacker; it allows them to avoid raising alarms by sending detectable payloads.”