Microsoft Patch Tuesday – January 2014

Microsoft dishes up a relatively small collection of patches this month, but it’s a valuable set. The KB2916605 patches for Microsoft Word and Web Applications fix three vulnerabilities, all providing Remote Code Execution (RCE) when successfully exploited. The patches for KB2913602 and KB2914368 both correct vulnerabilities leading to Escalations of Privilege (EOP). Together, these three patches cover five CVEs.

  • CVE-2013-5065: EoP
  • CVE-2014-0262: EoP
  • CVE-2014-0258: RCE
  • CVE-2014-0259: RCE
  • CVE-2014-0260: RCE

While RCE and EoP vulnerabilities present plenty of problems by themselves, combining them can result in a potent cocktail for an attacker. The recent Zero-day exploitation of Adobe Flash provides a fresh example. An attacker uses a RCE vulnerability to get malicious code running. However, it runs under the identity of the logged in user, with that user’s privileges.

After successfully exploiting an EoP vulnerability, though, the malicious code runs with higher privileges. Exactly which privileges depends on the details of the vulnerability. On Windows, some can result in Administrator access, while others can yield System or even Local Machine privileges. On Linux and similar systems, the root user represents the ultimate goal.

At this point, the attacker controls the host, potentially more thoroughly than the actual owner of the system. Depending on just how privileged the attacked process became, and the details of the system, it could intercept every keystroke, capture every dialog box, search every file, upload every document, or even update the machine’s firmware.

So, you can see the importance of applying these patches. They represent possibilities of very deep and pernicious impacts on your hosts.

Share this Article:
Doug Franklin

Research Technologist, IBM Security X-Force

Doug Franklin is a Research Technologist at IBM Security Systems X-Force. Doug looks at the broad spectrum of threats, exploitation, and defense techniques. He holds a Bachelor of Information and Computer Science from the Georgia Institute of Technology. Doug’s background includes core system development of IPS/IDS and anti-virus systems, as well as document imaging systems. In his free time, he pursues interests in photography and amateur sports car racing.