Microsoft released five patches—two rated as "Critical" and three as "Important"—fixing 23 vulnerabilities in Internet Explorer, Microsoft Windows, and Silverlight as part of March's Patch Tuesday update. The IE patch also closed the zero-day vulnerability attackers have been exploiting since February.
Attackers exploited the critical zero-day vulnerability (CVE-2014-0322) in Internet Explorer 10 last month as part of Operation SnowMan, which compromised the website belonging to the US Veterans of Foreign Wars, as well as in a different attack impersonating a French aerospace manufacturer. The IE patch (MS14-022) closes this flaw as well as 17 other ones, including one which has been used in limited targeted attacks against Internet Explorer 8 (CVE-2014-0324), Dustin Childs, a group manager at Microsoft Trustworthy Computing, wrote on the Microsoft Security Response Centre blog.
"Obviously the IE update should be your highest priority," Childs said.
Issues with Silverlight
The other critical patch fixes a critical remote code execution flaw in DirectShow and affects multiple versions of Windows. The vulnerability is in how JPEG images are parsed by DirectShow, making it likely that attacks exploiting this flaw will insert malicious images inside compromised web pages or embedded within documents, said Marc Maiffret, CTO of BeyondTrust. It's worth noting that users running with non-administrator privileges will be less impacted by these attacks because the attacker will be limited in the damage he or she can cause.
The security feature bypass in Silverlight is rated as "important" but should also be fairly high priority. Attackers can exploit the flaw by directing users to a malicious site containing specially crafted Silverlight content, Microsoft said. What's dangerous is that attackers can bypass ASLR and DEP, two exploit mitigation technologies built-in to Windows by exploiting this vulnerability, Maiffret warned. An attacker would need a secondary exploit to achieve remote code execution after bypassing ASLR and DEP to gain control of the system, such as the ASLR bypass flaw patched in December (MS13-106). While there are currently no attacks exploiting this flaw in the wild, users should block Silverlight from running in Internet Explorer, Firefox, and Chrome until the patch is applied, Maiffret said. It's also important to make sure older patches have also been deployed.
Microsoft should give up on Silverlight as "it sees a lot of patches given its limited adoption," suggested Tyler Reguly. Since Microsoft will continue supporting it till at least 2021, organisations should start migrating away from Silverlight so that "we could all uninstall Silverlight and effectively increase the security of end user systems," he added.
Remaining Microsoft Patches
Another patch that should be applied sooner rather than later is the one addressing a pair of elevation of privilege vulnerabilities Windows Kernel Mode Driver (MS14-014) as it affects all supported versions of Windows (for this month, that still includes Windows XP). To exploit this flaw, the attacker "must have valid logon credentials and be able to log on locally," Microsoft warned.
The final patch fixes issues in the Security Account Manager Remote (SAMR) Protocol which lets attackers brute-force Active Directory accounts and not get locked out of the account. The patch fixes that API call so that Windows correctly locks accounts when under attack. "Password attempt lock-out policies are put in place specifically to prevent brute-force attempts and allowing a malicious attacker to bypass the policy completely defeats the protection it provides," Reguly said.
Other Software Updates
This is the week for operating system updates. Apple released iOS 7.1earlier this week, and Adobe updated its Adobe Flash Player (APSB14-08) to close two vulnerabilities today. The issues are not currently being exploited in the wild, Adobe said.
Apple fixed some significant issues in iOS 7, including a crash-reporting issue which could allow a local user to change permissions on arbitrary files on the affected devices, a kernel issue which could allow for an unexpected system termination or arbitrary code execution in the kernel, and a bug which allowed an unauthorised user to bypass code-signing requirements on affected devices. Apple also fixed a bug which could enable an attacker to entice a user into downloading a malicious app via Enterprise App Download and another which allowed a maliciously crafted backup file to alter the iOS file system.