OK, it’s Friday, but it is still time to report Microsoft’s Patch Tuesday release of four security bulletins to fix 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework.
Only one comes in at the critical level, which is an Internet Explorer Zero Day, and it resolves 37 vulnerabilities including a remote code execution flaw.
That flaw has a case number of MS14-052. The bulletin fixes a Zero Day vulnerability CVE-2013-7331 in IE which allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes. Attackers can take advantage of this vulnerability by using malware to check if anti-malware products or EMET is on the target system.
This IE bulletin marks the eighth straight month of an IE patch.
Microsoft recommends deploying MS14-054 next as it fixes a privately reported local elevation of privilege problem in Windows with an exploitability index of one. This security update comes in at an important rating for all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
Microsoft also gave MS14-053 a “two” as the deployment number, but it does have a denial of service vulnerability patch. If left unpatched, remote un-authenticated attackers can send HTTP/HTTPs request to cause resource exhaustion which will ultimately lead to deal-of-service condition on the ASP.NET webserver, officials said.
MS14-055 resolves three privately reported vulnerabilities in Microsoft Lync Server, which an attacker could exploit for denial of service.
In addition to this month’s security bulletins, Microsoft Trustworthy Computing Group Manager Dustin Childs said we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials end up cleaned up immediately instead of waiting until receiving a Kerberos TGT (Ticket Granting Ticket). Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution ended up revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, provided when this advisory originally released. If you have already installed this update, you do not need to take any action. Finally, Childs said, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.