Microsoft Patch Tuesday – January 2014
Microsoft dishes up a relatively small collection of patches this month, but it’s a valuable set. The KB2916605 patches for Microsoft Word and Web Applications fix three vulnerabilities, all providing Remote Code Execution (RCE) when successfully exploited. The patches for KB2913602 and KB2914368 both correct vulnerabilities leading to Escalations of Privilege (EOP). Together, these three patches cover five CVEs.
- CVE-2013-5065: EoP
- CVE-2014-0262: EoP
- CVE-2014-0258: RCE
- CVE-2014-0259: RCE
- CVE-2014-0260: RCE
While RCE and EoP vulnerabilities present plenty of problems by themselves, combining them can result in a potent cocktail for an attacker. The recent Zero-day exploitation of Adobe Flash provides a fresh example. An attacker uses a RCE vulnerability to get malicious code running. However, it runs under the identity of the logged in user, with that user’s privileges.
After successfully exploiting an EoP vulnerability, though, the malicious code runs with higher privileges. Exactly which privileges depends on the details of the vulnerability. On Windows, some can result in Administrator access, while others can yield System or even Local Machine privileges. On Linux and similar systems, the root user represents the ultimate goal.
At this point, the attacker controls the host, potentially more thoroughly than the actual owner of the system. Depending on just how privileged the attacked process became, and the details of the system, it could intercept every keystroke, capture every dialog box, search every file, upload every document, or even update the machine’s firmware.
So, you can see the importance of applying these patches. They represent possibilities of very deep and pernicious impacts on your hosts.