SANS Internet Storm Center

Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.

We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers.

The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.

Overview of the May 2014 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS14-021	Vulnerabilities in Internet Explorer
MS14-021	Microsoft Internet Explorer CVE-2014-1776	KB 2963983	Used in targeted exploits.	Severity:Critical Exploitability: 1	PATCH NOW!	Critical

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

[1] https://technet.microsoft.com/en-us/library/security/ms14-may.aspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

Johannes

4352 Posts
ISC Handler

May 1st 2014

A most welcome news, to be certain. Thanks for the update Johannes :)

ChrisHolland

3 Posts

Download links in the bulletin for at least IE6 and 7 on Windows XP SP3 work and will download a standalone update. The WinXP-SP3 IE8 link appears broken when I tried it, but I expect that will be fixed soon enough.

Brian Bartlett

5 Posts

Kudos to Microsoft for the quick patch. However, I have a mixed reaction to it issuing a patch for XP, which will happen, according to the security bulletin. I'm happy for my few remaining XP users. I'm chagrined because I have been assuring users for some time that the April 8th patches were absolutely, positively the last that would be issued for XP. This waffling makes Microsoft look indecisive, and can only create expectations that more XP patches are forthcoming. I really don't mind if MS makes itself look bad. However, in the process it has also undermined the credibility of those of us who told our users that the April 8 deadline was real. I'm more than a bit miffed at that.

-SAM

Brian Bartlett
10 Posts

I read in the Technet article that the most recent cumulative update for IE is a prerequisite for this patch to avoid certain compatibility issues. That would be MS14-018 or MS14-012 depending on the version of IE being updated, if I remember correctly.

G

Gavin

4 Posts

I guess that this is available for Windows XP because it is a patch to Internet Explorer, not Windows, and the same version of IE is available for Windows 2003 Server which is still supported.

patermann

patermann

35 Posts

Quoting Anonymous:However, I have a mixed reaction to it issuing a patch for XP, which will happen, according to the security bulletin. I'm happy for my few remaining XP users. I'm chagrined because I have been assuring users for some time that the April 8th patches were absolutely, positively the last that would be issued for XP. This waffling makes Microsoft look indecisive, and can only create expectations that more XP patches are forthcoming. I really don't mind if MS makes itself look bad. However, in the process it has also undermined the credibility of those of us who told our users that the April 8 deadline was real. I'm more than a bit miffed at that.
-SAM

Nothing new of the wobble of MS SAM. However, like you, I am pleased they did this for the XP users for this reason only. MS has known for years about this issue, long before Vista, 7, 8 et all. One of the many reasons few (like myself) use I.E. Contemporaneously speaking, sad that the GOV did not hold MS accountable for this security issue long ago. Like Java folly, it takes the GOV to say stop using it before companies "smell the coffee" Now the GOV should tack on fee's to these companies when the use lethargic mode in fixing.

Regards..

ICI2I

63 Posts

Heck, government's one of the worst offenders. Not only does our state gov have web apps that towns are required to use that work ONLY in IE, but they actually distribute systems to certain local entities and *require* them to run them - they're still on XP. But "it's ok because they're on a VPN." 0_o

Jaybone

27 Posts