Microsoft released four bulletins addressing 42 vulnerabilities for its Patch Tuesday release.
Bulletin MS14-052 is the only one deemed critical and addresses 37 vulnerabilities in Internet Explorer that can enable remote code execution, one of which – CVE-2013-7331 – is being used in attacks, according to the Microsoft Security Bulletin Summary for September 2014.
In a statement emailed to SCMagazine.com, Tyler Reguly, manager of security research with Tripwire, said that CVE-2013-7331 is a “known Internet Explorer information disclosure vulnerability that allows attackers to detect the installation of EMET or AV products. Given that there are known attacks in wild, patching is definitely the right thing to do and should ease some worries if someone in your enterprise encounters an exploit kit while surfing the net.”
Bulletin MS14-053 is deemed important and addresses a vulnerability in .NET Framework that enables denial-of-service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website, the bulletin summary indicates.
Wolfgang Kandek, CTO of Qualys, wrote in a Tuesday post that the bulletin “should be treated as ‘Critical’ if you have ASP.NET framework installed with your IIS webserver. If left unpatched, remote un-authenticated attackers can send HTTP/HTTPS request to cause resource exhaustion, which will ultimately lead to denial-of-service condition on the ASP.NET webserver.”
Bulletin MS14-054 is deemed important and addresses a vulnerability in Windows Task Scheduler that could enable elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application, according to the bulletin summary, which explains that the attacker must have valid logon credentials and be able to log on locally.
Finally, bulletin MS14-055 is deemed important and addresses three vulnerabilities in Microsoft Lync Server that could enable denial-of-service if an attacker sends a specially crafted request to a Lync server, the bulletin summary indicates.
The bulletin “fixes an issue in Lync server which provides infrastructure for instant messaging, VoIP, audio, video and web conferencing,” Kandek wrote. “If left unpatched, remote unauthenticated attackers can send a malicious SIP request which will cause a denial-of-service condition on the Lync server.”