Security Advisor
Small September Patch Tuesday Release Fixes Huge IE Zero-Day Hole
This month's offering includes one "critical" and three "important" bulletins that look to fix 42 different flaws.
Microsoft released its Security Update for the month of September and it's a small one compared to previous months -- only one bulletin item rated "critical" and three "important" made the cut this time around.
The lone critical update (MS14-052), a cumulative update for Microsoft's Web browser, should be the first to be tackled this month. It addresses 37 vulnerabilities, including a 0-day flaw that has been seen to be in limited exploitation and could lead to information disclosure attacks by those taking advantage of the flaw.
The more severe of the remaining 36 privately reported flaws could lead to a remote code execution (RCE) attack if gone unpatched (and if attackers figure out a way to start exploiting the issues).
Along with the IE security bandages, this month's cumulative update also pushes through new security features, Microsoft's Dustin Childs said in his patch blog. "In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls," wrote Childs. "This functionality will be enabled with today's update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy."
Important Items
Microsoft's August patch also includes the following three bulletins rated "important":
- MS14-053: Addresses a privately reported issue in Microsoft .NET Framework that could lead to a denial of service exploit if an attacker sends malicious requests to a .NET-enabled Web site. This bulletin affects all supported versions of Windows OS and Windows Server.
- MS14-054: Fixes one privately reported flaw in Windows Task Scheduler that could lead to an elevation of privilege if harmful code is run on a system. An attacker would need to have physical access to the system for the flaw to be exploited. This item affects Windows 8, 8.1, RT and Windows Server 2012/2012 R2.
- MS14-055: This item fixes three issues in Microsoft Lync Server, which could lead to a denial of service if gone ignored. The last bulletin of the month affects both Microsoft Lync Server 2010 and 2013.
Revised Security Advisories
Along with the four bulletins for the month, Microsoft has also updated three Security Advisories.
The first is an addition to Security Advisory 2871997, which originally aimed to improve credential management and protection by adding protection for "Local Security Authority (LSA), add[ing[ a restricted admin mode for Credential Security Support Provider (CredSSP), introduce[ing] support for the protected account-restricted domain user category, and enforce[ing] stricter authentication policies," according to Microsoft. Today's addendum adds functionality for Windows 7 and Windows Server 2012. Now, instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained for clearing user credential information, the info is cleared immediately.
Second, Microsoft has made available Security Advisory 2905247, titled "Insecure ASP.Net Site Configuration Could Allow Remote Code Execution," for automatic download and installation through Microsoft Update. When the advisory was first released in December 2013, the only way to obtain it was through a direct download link.
Finally, Security Advisory 2755801, the Adobe Flash Player update for Internet Explorer, has been updated with the latest fixes from Adobe.
Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.