Microsoft issued eight security updates today addressing a total of 14 vulnerabilities in Windows, Office and SharePoint Server. Three are already being exploited in the wild.
This is the first Patch Tuesday since the end of support for Windows XP and Office 2003. Even though Microsoft provided an update one week ago for all Windows versions, including Windows XP, this time they followed through on policy and did not release updates for Windows XP even though one of the updates patched today is critical and likely affects Windows XP.
Less well-known is that Microsoft Office 2003 also exited its support period in April. There are two updates to Microsoft Office, but none for Office 2003 which appears to be affected by at least one of the non-critical vulnerabilities fixed in the updates to later versions.
Even less well-known is that Microsoft SharePoint Portal Server 2003 also entered its end of support period last month. Three critical vulnerabilities in SharePoint Server versions 2007, 2010 and 2013, Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK were patched today, but no patches were issued for the 2003 product.
Three of the vulnerabilities below disclosed today are being exploited in the wild. A fourth had already been publicly disclosed. The most severe, MS14-029, almost certainly affects Windows XP, is being exploited in the wild, and is not patched on Windows XP.
- MS14-029: Security Update for Internet Explorer (2962482) — This is the most critical of today's critical updates. All supported versions of Internet Explorer on all supported versions of Windows (this no longer includes Windows XP) are vulnerable to two memory corruption vulnerabilities which could result in remote code execution. Microsoft says they are aware of limited attacks that attempt to exploit one of the vulnerabilities in Internet Explorer.
- MS14-022: — All supported versions of SharePoint Server, including 2007, 2010 and 2013, as well as Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK are vulnerable to a critical remote code execution vulnerability. A second cross-site scripting (XSS) vulnerability affects only SharePoint Server 2013, Office Web Apps 2013 and the SharePoint Server 2013 Client Components SDK. A final critical remote code execution vulnerability ("Web Applications Page Content Vulnerability") affects only Office Web Apps 2010. Microsoft considers it unlikely that functioning exploit code will be written for this last vulnerability. There is no way of knowing which, if any of these might have affected SharePoint 2003.
- MS14-024: Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) — A vulnerability in the MSCOMCTL common controls library could allow a malicious web site to bypass ASLR (Address Space Layout Randomization). Microsoft says they are "...aware of limited, targeted attacks that attempt to exploit this vulnerability." The library comes with Microsoft Office and all shipping versions are listed as vulnerable, but it is likely to be exploited through Internet Explorer. Note: Office 2003 may well be vulnerable to this bug, but it is not listed as being updated.
- MS14-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037) — The proofing tools in Microsoft Office 2007 and 2010 and in some editions of 2013, including the RT versions, are vulnerable to a bug in the way Office checks Chinese grammar, specifically in how it loads a particular DLL. By putting a malicious DLL with a particular name in a particular network directory, an attacker could get users to load attack code. A second vulnerability, affecting certain versions of Office 2013, could allow the operator of a malicious site to obtain access tokens from Office which could be used for the user elsewhere. Microsoft considers it unlikely that functioning exploit code will be written for this last vulnerability.
- MS14-025: Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486) — A privilege escalation vulnerability exists in the way that Active Directory distributes passwords that are configured using Group Policy preferences. An authenticated attacker who successfully exploited the vulnerability could decrypt the passwords and use them to elevate privileges on the domain. According to Microsoft, this vulnerability was already publicly disclosed.
- MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) — Nearly every version of Windows is vulnerable to an elevation of privilege vulnerability in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.
- MS14-027: — All versions of Windows are vulnerable to an elevation of privilege vulnerability when the Windows Shell improperly handles file associations. A successful attacker could run code in the LocalSystem context. Microsoft says they are aware of limited attacks that attempt to exploit this vulnerability.
- MS14-028: Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) — Server versions of Windows are vulnerable to two denial of service vulnerabilities in the way Windows handles iSCSI packets. But Microsoft says that neither is likely to result in functioning exploit code.