This month we release five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in Security Advisory 2934088, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update.
MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, “The hidden harmony is better than the obvious” - Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.
Let’s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here’s an overview of this month’s release:
Click to enlarge
Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.
MS14-012 | Cumulative Security Update for Internet Explorer
This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The SRD blog goes into more detail about how shutting down that bypass helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.
We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08. For more information about this update, including download links, see Microsoft Knowledge Base Article 2938527. Also, for those of you who may be interested, KB864199 provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the Wysotot and Spacekito malware families.
Watch the bulletin overview video below for a brief summary of today's releases.
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.
My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month’s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow us at @MSFTSecResponse.
If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!
Group Manager, Response Communications
Microsoft Trustworthy Computing