Patch Tuesday wrap-up, June 2014 - both Adobe and Microsoft close "remotable" holes

Filed Under: Adobe, Adobe Flash, Featured, Microsoft, Vulnerability, Windows

Here's a quick review of what actually came down the chute on June's Patch Tuesday.

Adobe published just one security bulletin this month, APSB14-16.

The update delivers a new version of Flash Player

On Windows and OS X, the major version number goes, with apparently very minor fanfare, from 13 to 14.

The recently-released Flash 13 didn't last very long: the update bumps you from 13.0.0.214 straight to 14.0.0.125.

We don't yet know whether this means that Adobe is adopting a Firefox-like or Chrome-like process, where every scheduled update gets a new leftmost number, or whether there are also lots of new features along with this security update.

If you can't or won't make the 13-to-14 jump, there is also a 13.0.0.223 available, presumably incorporating the same security fixes.

Whichever route you take, bear in mind that the vulnerabilities fixed are RCEs (remote code execution): the worst sort, by means of which an attacker can trick your computer into running malware invisibly, even if all you do is look at a web page.

Adobe calls these updates "Priority 1", for which the company recommends patching within 72 hours.

Users of standlone Flash installations on Linux, who are back on version 11, go from 11.2.202.359 to 11.2.202.378.

This time, there's an upside of being stuck on an older version: Adobe only rates the risk to Linux users as "Priority 3," a level for which Adobe recommends patching "at your discretion."

→ No, we don't know quite what that means. You could probably convince yourself Adobe is saying "if you want to be really discreet then it's OK to skip this one altogether," but we urge you not to take that interpretation. If you have the wherewithal to do Priority 1 patches in 72 hours, as you should, why not use that approach for everything?

Microsoft

We already enumerated the patches that Microsoft was preparing: seven bulletins, three RCEs, two critical.

They all shipped as planned, and as we mentioned before, there is at least one critical RCE patch for every supported version of Windows, client and server, with a compulsory reboot.

So, given that you're going to be doing a network-wide patch anyway, and a network-wide reboot, we're saying you might as well do yourself a favour and deploy all the other patches to systems that need them at the same time.

Just think of the time your Change Control Committee could save at its Patch Tuesday meeting!

Here is an overview of the RCE updates, together with the lessons we can learn from them:

MS14-035

Bulletin One is a cumulative Internet Explorer patch, and you may already have seen press releases describing the 59 squashed bugs as some kind of terrible "badness record" that has been broken.

The implication seems to be that more bugs fixed means more bugs found, and more bugs found means a shabbier product, with yet more bugs left to be found.

Be careful with that argument: there weren't any bugs fixed in Windows XP this month, for instance, but you would be unwise to infer that this means the last one has already been found and dealt with.

57 of the 59 patched holes were privately disclosed to Microsoft, or found privately by Microsoft itself, so the "record" could equally well be considered a positive sign that more bugs are being found and eliminated right now simply because more care is being taken in hunting them down.

Only two of the holes were publicly disclosed (CVE-2014-1770 and CVE-2104-1771), and even then the public disclosures merely documented the existence of vulnerabilites without giving sufficient detail for a wannabe attacker to find and exploit them more easily than if he started from scratch.

→ Admittedlty, CVE-2014-1770 was an apparently-exploitable RCE bug in IE 8, but no attacks were seen in the wild, and anyone with a more recent version of IE was in any case unaffected.

Make no mistake, MS14-035 is critical, and you need the patch as soon as you can get it.

But beware of reading too much into the vulnerability count - it can lead you into the risky thinking that individual vulnerabilities can't add up to much on their own.

MS14-036 and MS14-034

These patches, Bulletins Two and Three, fix content rendering problems in Windows and in Word respectively.

The bugs involve the programmatically incorrect processing of graphics objects by the system library GDIPLUS.DLL (MS14-036), and of fonts by Word (MS14-034).

Files such as fonts, images, documents and movies are often very complicated internally, with lots of inter-related components of varying quantity and size.

This means that you end up with complex software code to read, unravel and load these files: there are lots of file pointers to follow; temporary memory blocks to allocate; and information in one part of the file that tells you about the size and layout of data elsewhere in the file.

Attackers spend weeks, months, even years, trawling through this sort of code, looking for places where you have blundered.

Perhaps you accidentally used a memory block after you thought you'd finished with it (use after free); used a program variable without initialising it properly; or tried to stuff X+N bytes of memory into X bytes of space (buffer overflow)?

When the crooks find a slip-up of this sort, they may be able to create deliberately malformed, or crafted, files that your software doesn't reject as bogus, makes a brave effort to load, and then crashes.

If the attackers can control the crash in some predictable way, they may be able to sneak malware onto your computer without so much as a by-your-leave.

Click to read our 'Anatomy of an Exploit' article...

Very simply put: the bugs fixed in MS14-036 and MS14-034 are of the "open and own" sort.

A crook could send you a dodgy document in the form of a fake invoice addressed to your company, or entice you to a bogus web page to read a free report that is aligned to your job.

Merely reading the document, or looking at the web page, could be enough to infect your computer.

Dire as that sounds, the bugs fixed in Bulletins Two and Three were privately disclosed and haven't been seen in active use.

In other words, apply the patches, and you will almost certainly be one step ahead of the Bad Guys.

The bottom line

Patch early, patch often and, while you're about it, patch all.

Bulletins fixing one vulnerability are often as vital as those that fix 59.

, , , , , ,

You might like

6 Responses to Patch Tuesday wrap-up, June 2014 - both Adobe and Microsoft close "remotable" holes

  1. 2857 · 81 days ago

    Can we get HTTPS across Sophos and Naked Security please as I think it will be good to have it so we can browse all the pages in the comfort of security.

  2. Texas ISO · 81 days ago

    Minor typo in the first sentence of the second paragraph.

    [quote]On Windows and OS X, the m[b]a[/b]jor version number goes, with apparently very minor fanfare, from 13 to 14.
    [/quote]

  3. Darryl · 81 days ago

    Why would Microsoft be patching XP a month after its EOL?

    • jimcsecurity · 81 days ago

      Hi Darryl,

      You are correct, Windows XP should not be patched since it is EOL. However given that it was patched on the 1st of May (after its EOL date on the 8th of April) there is a perception that it may be patched again. From what was published at the time this exception was made due to that update patching a zero day flaw that was under active exploitation and it arrived very shortly after the 8th of April.

      However since 2 months have now passed it is increasingly less likely that further patches will be created. In my opinion, no further patches should be developed for Windows XP since it would cause further confusion as to whether it is EOL or not.

      I hope this helps. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog