March 2014 Patch Tuesday: Microsoft closes critical holes in IE, Windows

It's Patch Tuesday again, and the first one to jump on will patch the critical zero-day vulnerability in Internet Explorer that attackers have been actively exploiting in the wild since February.

Today Microsoft released five security updates, two rated Critical and three rated Important. The March security bulletins address 23 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer and Silverlight.

It's Patch Tuesday again and MS14-012 is the first one to jump on for March 2014 in order to patch the critical zero-day vulnerability in Internet Explorer that attackers have been actively exploiting in the wild since at least last month. On Feb. 11, FireEye researchers identified a zero-day exploit in Internet Explorer 10 being used in Operation SnowMan that compromised the U.S. Veterans of Foreign Wars website. Shortly thereafter, Seculert reported that a different set of attackers used the same zero-day exploit but tweaked the credential-stealing malware to impersonate a French aerospace manufacturer.

Dustin Childs, Microsoft Trustworthy Computing group manager, wrote:

We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above.

"Obviously the IE update should be your highest priority," Child said, "but do not ignore the update eliminating a DEP and ASLR bypass as it can have a long term impact in improving your systems' security."

Childs added, "We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08."

The Microsoft Security Response Center advises the following deployment priority:

MS14-013 is to fix another critical remote code execution (RCE) vulnerability in Windows.

MS14-014 is rated important to resolve a flaw in Microsoft Silverlight. "The vulnerability could allow security feature bypass if an attacker hosts a website that contains specially crafted Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the website."

MS14-015 is rated important to fix Elevation of Privilege (EoP) vulnerabilities in all supported releases of Windows. The bug "could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities."

Last to be deployed is MS14-016 to fix a vulnerability in Microsoft Windows. The vulnerability is in Security Account Manager Remote (SAMR) Protocol and "could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username." This patch corrects "the manner in which Windows validates user lockout state."

If you are still using Windows XP, you'd be wise to make changing that a top priority. The end is near - the April 8th end of XP support, that is.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Security Smart: 4 Common Password Myths ... Debunked!