Microsoft's July Patch Includes IE, Windows Journal Fixes
Microsoft's monthly security update comes with fixes for 29 flaws and includes three updated security advisories.
Microsoft's monthly security update for July arrived Tuesday morning with two bulletin items rated "critical" for Internet Explorer and Windows Journal. Along with the two critical items, three bulletins rated "important" and one rated "moderate" round out this month's offerings, with a total of 29 vulnerability fixes spread over the six items.
This month's top priority for IT should be bulletin MS14-037, a cumulative fix for all supported versions of Microsoft's Internet Explorer Web browser that addresses one publicly disclosed and 23 privately disclosed flaws. The most critical could lead to a remote code execution (RCE) attack if gone unpatched. However, Microsoft has yet to see any of the 24 flaws being used in the wild by attackers. "Similar to last month, we have not seen any active attacks attempting to exploit any of the CVEs addressed by this security bulletin -- or any of the other issues we addressed this month," wrote Dustin Childs, group manager for the Microsoft Trustworthy Computing group, in a blog post. "Addressing these items before there is any customer impact from attacks remains our goal with security bulletins."
Childs also took the opportunity to remind Windows 7 and 8 users that to have the highest level of security for Microsoft's browser, upgrading to Internet Explorer 11 should also be a priority.
The second and final critical item of the month, bulletin MS14-038, takes care of another RCE flaw, this time in Windows. Exploitation could occur if a malicious Windows Journal file is opened. All supported versions of Windows (including 8.1 and RT) and Windows Server are affected by this privately reported vulnerability.
If you're a little fuzzy on what Windows Journal is, don't worry, you're not alone. "What's that you ask? I had to look it up too," commented Russ Ernst, director for product management at security firm Lumension, in an e-mailed statement. "This is a really old note-taking program but it continues to run in nearly every version of Windows, even 8.1. The important class vulnerability is exploited by sending someone a malicious journal file so in addition to patching, you might block e-mails with the file type .jnt or .jtp to the spam folder."
Important and Moderate Items
Microsoft's July patch also includes the following three important items and a rare "moderate" bulletin:
- MS14-039: This bulletin addresses an elevation of privilege flaw in Windows that could allow an attacker to pull up the built-in Windows On-Screen Keyboard (OSK) to execute a malicious file.
- MS14-040: Fixes another elevation of privilege vulnerability in Windows (specifically in the Ancillary Function Driver (AFD). An attacker would need to be logged in locally and have the right credentials to exploit this flaw.
- MS14-041: This item attempts to fix a flaw in Windows' DirectShow that could lead to another elevation of privilege attack if gone unpatched.
- MS14-042: This moderate rated bulletin item targets a publicly disclosed vulnerability in Microsoft Service Bus 1.1 for Windows Server.
Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.
Microsoft also released three revisions for previously issued security advisories today. The first, an update for Security Advisory 2871997, changes the Restricted Admin mode on Windows 8.1 and Windows Server 2012 R2. According to Childs, this adds new strategies to avoid credential theft.
The second, Security Advisory 2960358, revises an update that allows users to disable RC4 in Transport Layer Security (TLS) for Microsoft .NET Framework. The purpose of disabling RC4 is to close a hole that could allow attackers to pull off man-in-the-middle exploits that could lead to plaintext being captured from encrypted sessions. Today's update includes a Microsoft Update Catalog detection change that will alert users who have not yet applied the advisory. If previously applied, no actions are needed.
Finally, Microsoft has updated its Adobe Flash Player advisory (Security Advisory 2755801) to include the fixes released by Adobe in the past month.