Patch Tuesday wrap-up, September 2014 – why even a single-bit data leak is worth fixing

Patch Tuesday for September 2014 is here, bringing us security fixes from Adobe and Microsoft.

Between them, the two companies have published a modest five updates so far this month, issuing patches for Flash Player (and Adobe AIR); Internet Explorer (IE); Microsoft Lync Server; the .NET Framework; and the Windows Task Scheduler.

Additionally, Adobe has issued a prenotifcation (a word that seems to mean the same as “notification”) that an update is coming for its Acrobat and Reader products, but not until next week, some time on or after 15 September 2014.

In Adobe’s own words, “the release was delayed to address issues identified during regression testing.”

→ You’ll hear the word regression frequently in software engineering: the word comes from a Latin root that means “to step backwards”. In the context of patching and updates, it refers to a situation where fixing a known bug introduces a new one, or exposes another as-yet unknown bug, or even accidentally re-introduces a bug that was fixed before.

So you’ll have to wait for your Acrobat and Reader fix, but the Flash update is available right now.

Adobe isn’t saying whether any of the bugs patched in Flash are already known to the crooks, but the patch fixes 12 CVE-listed vulnerabilities, including remote code execution (RCE) holes.

Remember that RCE, also called click-to-own or open-and-own, means that an attacker can potentially infect you without warning.

Typically, a click-to-own exploit gets you to view something uncontroversial – such as a Flash video in a web page – that ought to be safe, but is booby-trapped with malicious executable code that infects your computer.

The Flash update applies to all supported platforms (Windows, OS X and Linux), and is understandably rated at Adobe’s Priority One, suggesting you should install it “as soon as possible.”

Microsoft patches

From the Microsoft stable there is only one update that fixes RCE holes, and that’s the Cumulative Update for Internet Explorer.

The RCEs are amongst 36 privately-discovered vulnerabilities, which means that Microsoft very likely got there before the crooks did.

In other words, promptly applying this patch puts you ahead of, rather than merely allowing you to catch up with, the Bad Guys.

There is also a publicly-known hole in IE this month, however, and it’s an intriguing one.

Loosely speaking, if you know how to exploit this vulnerability, you can ask Internet Explorer the question, “Does a file exist named X?”

You can’t acquire a list of filenames; you can’t change any file contents; and you can’t even peek inside any part of any file.

In short, you get a single-bit information disclosure giving you a 1/0 (i.e. a Yes/No) answer.

It doesn’t sound like much, does it?

But holes of this sort are very much worth fixing because cybercriminals can use the mere existence of a file to help them plot future attacks.

This is exactly the same reason that intelligence agencies love so-called metadata about emails, phone calls and so on, telling them who spoke to whom without worrying what was actually said.

→ You might not be certain that I just wrote an article about Patch Tuesday. But if you already know that I am interested in vulnerabilities and exploits, and you know that I wrote an article about something first thing on the morning after Patch Tuesday, you can make an educated guess at its content.

For example, specific program files can tell you what anti-virus software is running; help files may tell you which ISP a potential victim uses; named DLLs can denote whether there is known-buggy software installed; and device drivers might let you differentiate between a cash register and an office desktop.

Obviously, you’ll want the IE update at once because it is rated critical on account of the RCE holes.

But it would be worth getting even if the file-existence information disclosure bug were the only vulnerability that had been patched.

Elevation of Privilege

Microsoft has also fixed an Elevation of Privilege (EoP) in the Windows Task Scheduler.

This system service lets you specify programs, such as backup jobs or email notifications, that should run automatically on your behalf in the future.

To do its job, Task Scheduler needs to run as Local System, giving it almost complete control over the computer; to stop you abusing it, the Scheduler uses a technique known as impersonation when it starts a program you have requested.

That means it relinquishes its Local System powers whenever it runs your jobs, and gives itself exactly the same privileges you would have if you ran the scheduled task directly.

But it turns out there is a (privately-disclosed) vulnerability that causes Task Scheduler to bungle its impersonation, and to run your jobs as itself.

That means that you can trick the Scheduler into carrying out administrator-​type tasks of your choice, even though you don’t have administrator rights.

This bug won’t let a crook hack into your network in the first place, but it could let an attacker who’s already breached your defences do much more damage than would otherwise be possible.

Denial of Service

Bugs that could let an outsider clog up your IIS and Lync servers were also fixed in Microsoft’s update bundle.

That’s what’s known as a Denial of Service (DoS); as with EoP vulnerabilities, a DoS can’t get a crook into your network, but server downtime that’s triggered by an attacker can nevertheless put your business operations in clear danger.

DoSes can also be used as part of an attack, to distract attention from, or to delay reports of, more egregious criminal activity elsewhere.

For example, if you’re busy phoning a company’s employees one by one to try to cajole security information out of them (what is known as social engineering), then taking down the helpdesk server at the same time might make it very much harder for vigilant staff members to report what they consider to be suspicious phone calls.

The bottom line

There are no low-level patches this month, such as the kernel update that provoked a Blue Screen of Death for some unfortunate Windows users last month.

So don’t use last month’s news as an excuse to put off this month’s patches: as we said above, fixing privately disclosed RCE holes is a great way to get ahead of the crooks instead of merely catching up.

And don’t forget to keep your eyes out for next week’s delayed patches to Acrobat and Reader.

Patchwork letters and background of denim cloth courtesy of Shutterstock.