In its monthly security update, Microsoft released eight patches for 13 bugs in Windows, Internet Explorer (IE) and Office.
According to its Patch Tuesday security bulletin, two fixes (MS14-029 and MS14-022) are deemed “critical," rectifying multiple remote code execution (RCE) bugs in IE and Microsoft Office server.
The remaining six patches were ranked “important" by Microsoft, and fixed additional RCE flaws in Office and elevation of privilege bugs in Windows. Other vulnerabilities in Windows, which could allow denial of service, and an Office flaw that could allow a security feature bypass, were also mitigated with the important updates.
Among this month's two critical patches, bulletin MS14-029 claims top priority for administrators.
The patch resolves two privately reportedly flaws in IE, which could allow remote code execution if a user views a malicious webpage using the browser.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” the Microsoft bulletin warned. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Microsoft also noted that one of the RCE vulnerabilities (CVE-2014-1815) addressed with bulletin MS14-029, had already been used in “limited attacks” against users. A researcher at Google, Clément Lecigne, reported the memory corruption bug, which is reminiscent of an IE flaw leveraged in April zero-day attacks.
Microsoft speedily attended to the latter vulnerability (CVE-2014-1776) with a May emergency fix.
In that instance, users running the company's no-longer-supported software, Windows XP, were among those that benefited from the unscheduled update (which was also included in this month's Patch Tuesday bulletin for those who've yet to employ the fix).
On Tuesday, Ross Barrett, senior manager of security engineering at Rapid7, said in prepared email comments to SCMagazine.com, that users can no longer rely on such goodwill moving forward, regarding additional patches for XP.
Barrett wrote that "this is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available." He explained, “IE 6, 7, and 8 are vulnerable on Windows 2003 Service Pack 2, [and] this would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure – not that they were well off to begin with."
Also noted in Microsoft's Patch Tuesday release, was a second critical patch, MS14-022.
The update resolves multiple RCE bugs in Microsoft Office server, with the most severe vulnerabilities allowing attacks by a remote authenticated intruder. As noted in the bulletin, exploitation could occur if an attacker sends specially crafted page content to a targeted SharePoint server.