This month’s Patch Tuesday features eight bulletins, the most number of bulletins released for the year so far. Out of the eight bulletins, two are rated as ‘critical’ and the remaining, ‘important.’ While Microsoft may have released an out-of-band update for Windows XP to address a (then) zero-day vulnerability, updates for that OS are noticeably absent for this rollout.
Aside from the eight bulletins, this Patch Tuesday also includes the out-of-band security patch that was released two weeks ago addressing an Internet Explorer zero-day vulnerability. But that isn’t the only update concerning Internet Explorer. One of the two ‘critical’ updates, MS14-029, addresses two privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
The second ‘critical’ update (MS14-022) addresses multiple vulnerabilities in Microsoft Office server and productivity software. According to Microsoft, “[t]he most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.”
Two updates address vulnerabilities concerning Microsoft Office. MS14-023 resolves vulnerabilities that could allow for remote code execution if a user opens an Office file in the same network directory as a specially crafted library file. MS14-024, meanwhile, resolves a vulnerability that could security feature bypass if a user “views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.” The remaining updates address vulnerabilities that could allow elevation of privilege and denial of service if exploited.
Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Two rules for Trend Micro Deep Security and Trend Micro Intrusion Defense Firewall plugin for OfficeScan have also been created and are available for use by system administrators:
- 1006034 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
- 1006056 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)
Update as of 7:26 PM, June 12, 2014
Adobe has also released security updates to address vulnerabilities affecting Adobe Flash Player. Once these vulnerabilities are successfully exploited, remote attackers can potentially control the system. We highly advised users to update their Adobe Flash Player to version 126.96.36.199.
Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:
- 1006062 – Adobe Acrobat And Reader Use-after-free Vulnerability (CVE-2014-0527)
- 1006070 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515) – 1
- 1006066 – Adobe Reader Unspecified Security Bypass Vulnerability (CVE-2014-0512)