Patch Tuesday wrap-up, May 2014 – Adobe and Microsoft both patch multiple remotable holes

Patch Tuesday updates from both Microsoft and Adobe are out.

There aren’t any huge surprises this month, because we haven’t been waiting to see whether any as-yet-unpatched zero days made it into the updates.

Here are the fixes that did turn up.

Adobe patches

Adobe’s updates cover Flash, Illustrator, Reader and Acrobat.

Few Naked Security readers will have Acrobat or Illustrator, but many or most of you probably have one or both of Flash and Reader, so there’s something for almost everyone this month.

The updates cover Windows and Macintosh versions, with the ageing Flash 11 for Linux getting patched too.

Adobe bulletins APSB14-11, APSB14-14 and APSB14-15, warn that all updates close one or more RCEs, or remote code execution holes.

An RCE means a potential drive-by install, where a cybercrook can implant malware on your computer merely by enticing you to visit a booby-trapped web page, or to open an innocent-looking attachment, bypassing the usual “Are you sure” and “This could harm your computer” warnings.

That means that even a well-informed and otherwise cautious user could end up infected without seeing the sort of dialog that would usually let them head off a malware infection at the pass.

Two tips to think about:

  • These days, thanks to HTML5, a lot of interactive web functionality that used to rely on Flash is provided inside your browser. So you may be able to turn off Flash in your browser and thus reduce what’s known as your attack surface area. Try it and see. If you find that you need or prefer to have Flash, you can always turn it back on.
  • The regular Flash download page serves up a small online installer (around 1MByte) that then fetches the rest of the Flash software. This installer is notorious for “foistware” – additional software it tries to install at the same time. You may prefer to sign up for access to Adobe’s self-contained, standalone installer via the Adobe Flash Player Distribution page.

Microsoft patches

Microsoft’s updates cover a range of products, from the as-expected monthly Internet Explorer (IE) fix, through updates to Windows itself and the .NET Framework, to Office and SharePoint.

You may have read that this month’s IE update fixes one publicly-disclosed and two privately-disclosed RCE vulnerabilities.

→ Very often, a vulnerability that is publicly disclosed before a patch is ready ends up as a zero-day. A zero-day is a vulnerability that the crooks know how to exploit before you know how to patch against it. Not all vulnerabilities can be weaponised, i.e. turned into working exploits, but it’s wise to assume that someone will find a way.

That sounds much worse that it is.

The good news is that, although it is strictly true to say that this month’s MS14-029 IE patch closes an exploit that is known to have been used in the wild, that fix is for the zero-day better known as 1776.

The “1776” hole was officially patched two weeks ago with an emergency update called MS14-021, but Microsoft has decided to err on the side of caution by rolling up that out-of-band MS14-021 into the current Patch Tuesday update.

Of course, we urged you to install the 1776 fix as soon as it came out, but if your Change Control Committee is suspicious of emergency out-of-band patches, no matter how official, and decided to skip it, you’re going to get that patch in an even-more-official form now.

Further Microsoft RCEs

Two more of the eight Microsoft Bulletins this month close RCE holes:

MS14-022: SharePoint server

Practically speaking, this bug allows outsiders to send booby-trapped content to your SharePoint server, escape from the SharePoint process, and run their own code on the server itself.

For that reason, Microsoft rates this as a Critical hole, and SophosLabs rates the threat level as High.

High is the second-most serious SophosLabs level after Critical, and means that we think that there is a “strong possibility of this vulnerability being actively exploited by malware.”

The silver lining is that this is what’s known as an authenticated vulnerability, so only users who have already logged in to your SharePoint server can mount an attack.

That doesn't protect you entirely, but it does mean that random, unauthenticated visitors can't hammer on the vulnerability at will.

It's probably also a good reason to think about implementing some sort of two-factor authentication (2FA) for users to whom you want to grant logins on your SharePoint server.

2FA won't solve all your security problems, but it does make it harder for criminals to steal credentials that let them login remotely and repeatedly.

MS14-023: Microsoft Office

This patch is for what’s known as a DLL load order vulnerability, causing Office to look for a DLL (a shared program library – a special sort of executable problem loaded at runtime) in the same directory as the file it just opened, rather than in the Office program directory, where official DLLs belong.

So, if you can persuade a user to open a Word file, say, over the network, then by sneaking a DLL into the same directory as the Word file, you can trick the user into running your DLL at the same time as they’re opening the file.

You’d have hoped that Microsoft would have weeded out all instances of this sort of bug in its software by now, not least because it published extensive advice on avoiding the problem nearly four years ago on its Security Research and Defense Blog.

But there’s many a slip, as they say, ‘twixt the cup and the lip.

This update closes one of the (hopefully few remaining) instances of this easily-made programming mistake.

Best of the rest

All but one of the remaining Microsoft patches deal with so-called EoP, or elevation of privilege vulnerabilities.

As we’ve explained before, these usually attract a rating of Important, as they have this month, rather than Critical.

That’s because an EoP on its own generally doesn’t allow outsiders to break into your network, and usually doesn’t let unauthenticated users do something they shouldn’t.

But an insider with malicious intent who has logged on as a regular user can use an EoP to acquire privileges they shouldn’t have, which is clearly a cause for concern. (Simply put, an EoP can turn a regular user into an unofficial and unlawful Administrator.)

And an outsider who has bypassed the need to login by exploiting a remote code execution hole can combine that exploit with an EoP to get “in and then up,” so to speak.

That can turn a dangerous breach into a potentially catastrophic one, so we recommend that you consider the word Important as meaning exactly what it says: patch now, because it matters.

The bottom line

As usual, we say, “Don’t delay. Patch today.”