Here’s a quick review of what actually came down the chute on June’s Patch Tuesday.
Adobe published just one security bulletin this month, APSB14-16.
The update delivers a new version of Flash Player
On Windows and OS X, the major version number goes, with apparently very minor fanfare, from 13 to 14.
The recently-released Flash 13 didn’t last very long: the update bumps you from 188.8.131.52 straight to 184.108.40.206.
We don’t yet know whether this means that Adobe is adopting a Firefox-like or Chrome-like process, where every scheduled update gets a new leftmost number, or whether there are also lots of new features along with this security update.
If you can’t or won’t make the 13-to-14 jump, there is also a 220.127.116.11 available, presumably incorporating the same security fixes.
Whichever route you take, bear in mind that the vulnerabilities fixed are RCEs (remote code execution): the worst sort, by means of which an attacker can trick your computer into running malware invisibly, even if all you do is look at a web page.
Adobe calls these updates “Priority 1“, for which the company recommends patching within 72 hours.
Users of standlone Flash installations on Linux, who are back on version 11, go from 18.104.22.1689 to 22.214.171.1248.
This time, there’s an upside of being stuck on an older version: Adobe only rates the risk to Linux users as “Priority 3,” a level for which Adobe recommends patching “at your discretion.”
→ No, we don’t know quite what that means. You could probably convince yourself Adobe is saying “if you want to be really discreet then it’s OK to skip this one altogether,” but we urge you not to take that interpretation. If you have the wherewithal to do Priority 1 patches in 72 hours, as you should, why not use that approach for everything?
We already enumerated the patches that Microsoft was preparing: seven bulletins, three RCEs, two critical.
They all shipped as planned, and as we mentioned before, there is at least one critical RCE patch for every supported version of Windows, client and server, with a compulsory reboot.
So, given that you’re going to be doing a network-wide patch anyway, and a network-wide reboot, we’re saying you might as well do yourself a favour and deploy all the other patches to systems that need them at the same time.
Just think of the time your Change Control Committee could save at its Patch Tuesday meeting!
Here is an overview of the RCE updates, together with the lessons we can learn from them:
Bulletin One is a cumulative Internet Explorer patch, and you may already have seen press releases describing the 59 squashed bugs as some kind of terrible “badness record” that has been broken.
The implication seems to be that more bugs fixed means more bugs found, and more bugs found means a shabbier product, with yet more bugs left to be found.
Be careful with that argument: there weren’t any bugs fixed in Windows XP this month, for instance, but you would be unwise to infer that this means the last one has already been found and dealt with.
57 of the 59 patched holes were privately disclosed to Microsoft, or found privately by Microsoft itself, so the “record” could equally well be considered a positive sign that more bugs are being found and eliminated right now simply because more care is being taken in hunting them down.
Only two of the holes were publicly disclosed (CVE-2014-1770 and CVE-2104-1771), and even then the public disclosures merely documented the existence of vulnerabilites without giving sufficient detail for a wannabe attacker to find and exploit them more easily than if he started from scratch.
→ Admittedlty, CVE-2014-1770 was an apparently-exploitable RCE bug in IE 8, but no attacks were seen in the wild, and anyone with a more recent version of IE was in any case unaffected.
Make no mistake, MS14-035 is critical, and you need the patch as soon as you can get it.
But beware of reading too much into the vulnerability count – it can lead you into the risky thinking that individual vulnerabilities can’t add up to much on their own.
These patches, Bulletins Two and Three, fix content rendering problems in Windows and in Word respectively.
The bugs involve the programmatically incorrect processing of graphics objects by the system library GDIPLUS.DLL (MS14-036), and of fonts by Word (MS14-034).
Files such as fonts, images, documents and movies are often very complicated internally, with lots of inter-related components of varying quantity and size.
This means that you end up with complex software code to read, unravel and load these files: there are lots of file pointers to follow; temporary memory blocks to allocate; and information in one part of the file that tells you about the size and layout of data elsewhere in the file.
Attackers spend weeks, months, even years, trawling through this sort of code, looking for places where you have blundered.
Perhaps you accidentally used a memory block after you thought you’d finished with it (use after free); used a program variable without initialising it properly; or tried to stuff X+N bytes of memory into X bytes of space (buffer overflow)?
When the crooks find a slip-up of this sort, they may be able to create deliberately malformed, or crafted, files that your software doesn’t reject as bogus, makes a brave effort to load, and then crashes.
If the attackers can control the crash in some predictable way, they may be able to sneak malware onto your computer without so much as a by-your-leave.
Very simply put: the bugs fixed in MS14-036 and MS14-034 are of the “open and own” sort.
A crook could send you a dodgy document in the form of a fake invoice addressed to your company, or entice you to a bogus web page to read a free report that is aligned to your job.
Merely reading the document, or looking at the web page, could be enough to infect your computer.
Dire as that sounds, the bugs fixed in Bulletins Two and Three were privately disclosed and haven’t been seen in active use.
In other words, apply the patches, and you will almost certainly be one step ahead of the Bad Guys.
The bottom line
Patch early, patch often and, while you’re about it, patch all.
Bulletins fixing one vulnerability are often as vital as those that fix 59.