Microsoft Security Bulletin MS14-078 - Moderate
Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)
Published: November 11, 2014
Version: 1.0
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could allow sandbox escape based on the application sandbox policy on a system where an affected version of the Microsoft IME (Japanese) is installed. An attacker who successfully exploited this vulnerability could escape the sandbox of a vulnerable application and gain access to the affected system with logged-in user rights. If the affected system is logged in with administrative rights, an attacker could then install programs; view, change or delete data; or create new accounts with full administrative rights.
This security update is rated Moderate on all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; it is also rated Moderate for all supported editions of Microsoft Office 2007 where Microsoft IME (Japanese) is installed. For more information, see the Affected Software section.
The security update addresses the vulnerability by correcting how the Microsoft IME (Japanese) component loads dictionary files that are associated with the vulnerability. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
For more information about this document, see Microsoft Knowledge Base Article 2992719.
Affected Software
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
| Operating System | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Windows Server 2003 | |||
| Windows Server 2003 Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2003 x64 Edition Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2003 with SP2 for Itanium-based Systems (2991963) | Elevation of Privilege | Moderate | None |
| Windows Vista | |||
| Windows Vista Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Vista x64 Edition Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 | |||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 for x64-based Systems Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 (2991963) | Elevation of Privilege | Moderate | None |
| Windows 7 | |||
| Windows 7 for 32-bit Systems Service Pack 1 (2991963) | Elevation of Privilege | Moderate | None |
| Windows 7 for x64-based Systems Service Pack 1 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 R2 | |||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (2991963) | Elevation of Privilege | Moderate | None |
| Server Core Installation option | |||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (2991963) | Elevation of Privilege | Moderate | None |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (2991963) | Elevation of Privilege | Moderate | None |
Microsoft Office Suites and Components
| Microsoft Office Suite | Component | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|---|
| Microsoft Office 2007 | ||||
| Microsoft Office 2007 Service Pack 3 | Microsoft Office 2007 IME (Japanese) (2889913) | Elevation of Privilege | Moderate | None |
Update FAQ
I have an IME installed, but I do not have Microsoft IME (Japanese) installed. Why am I being offered this update?
Only implementations of Microsoft IME (Japanese) are affected by the vulnerability. Other implementations of IME are not vulnerable; however, this update may be offered to systems with a non-vulnerable IME, such as Chinese IME, Pinyin IME, or Korean IME.
Microsoft recommends that users install all updates offered to their systems as this helps to maintain consistency in Windows systems, and for shared files across Microsoft Office products. In some cases, an update to non-vulnerable software detects that the files on your system are already up-to-date and as a result, the update does not need to install files.
I am using Microsoft Office 2010 IME on Windows 7 Service Pack 1. Is my system affected by this vulnerability?
Yes. The Microsoft IME (Japanese) component in Windows 7 Service Pack 1 is vulnerable and should be replaced with this security update. It is still possible for an attacker to use vulnerable installations of the IME component in an attack scenario.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.
| Affected Software | Microsoft IME (Japanese) Elevation of Privilege Vulnerability - CVE-2014-4077 | Aggregate Severity Rating |
|---|---|---|
| Operating System | ||
| Windows Server 2003 | ||
| Windows Server 2003 Service Pack 2 | Moderate\ Elevation of Privilege | Moderate |
| Windows Server 2003 x64 Edition Service Pack 2 | Moderate\ Elevation of Privilege | Moderate |
| Windows Server 2003 with SP2 for Itanium-based Systems | Moderate\ Elevation of Privilege | Moderate |
| Windows Vista | ||
| Windows Vista Service Pack 2 | Moderate\ Elevation of Privilege | Moderate |
| Windows Vista x64 Edition Service Pack 2 | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 for x64-based Systems Service Pack 2 | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 | Moderate \ Elevation of Privilege | Moderate |
| Windows 7 | ||
| Windows 7 for 32-bit Systems Service Pack 1 | Moderate \ Elevation of Privilege | Moderate |
| Windows 7 for x64-based Systems Service Pack 1 | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Moderate\ Elevation of Privilege | Moderate |
| Server Core installation option | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Moderate \ Elevation of Privilege | Moderate |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Moderate \ Elevation of Privilege | Moderate |
| Microsoft Office Suites | ||
| Microsoft Office 2007 IME (Japanese) | Moderate\ Elevation of Privilege | Moderate |
Microsoft IME (Japanese) Elevation of Privilege Vulnerability - CVE-2014-4077
An elevation of privilege vulnerability exists in Microsoft IME for Japanese that is caused when a vulnerable sandboxed application uses Microsoft IME (Japanese). Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft was aware of limited attacks that attempt to exploit this vulnerability. The update addresses the vulnerability by correcting how the Microsoft IME (Japanese) component loads dictionary files that are associated with this vulnerability.
Mitigating Factors
The following mitigating factors may be helpful in your situation:
- An attacker must have authenticated write access to the system to exploit this vulnerability. An anonymous user could not exploit the vulnerability.
- Only implementations of Microsoft IME for Japanese are affected by this vulnerability. Other versions of Microsoft IME are not affected.
Workarounds
The following workarounds may be helpful in your situation:
Use the Enhanced Mitigation Experience Toolkit (EMET)
Note For the security mitigations to be enabled, EMET must be configured after the EMET installation. See Microsoft Knowledge Base Article 2458544 for additional guidance.
- Launch EMET GUI (for example, "C:\Program Files (x86)\EMET 5.0\EMET_GUI.exe").
- Click Apps, and then Add Wildcard.
- Add Microsoft IME (Japanese) component; type "*\IMJPDCT.EXE” (no quotes) and click OK.
- Locate the added entry IMJPDCT.EXE in the App Name list, deselect all checked mitigations, and then select ASR mitigation.
- Click Show All Settings.
- Scroll down to Attack Surface Reduction, type “IMJP*.DIC” in Modules, then click OK.
- Close EMET.
Impact of workaround. There is no impact to the functionality of Microsoft IME (Japanese).
How to undo the workaround.
To undo this workaround, follow these steps:
- Launch EMET GUI (for example, "C:\Program Files (x86)\EMET 5.0\EMET_GUI.exe").
- Click Apps, then select IMJPDCT.EXE in the App Name list.
- Click Remove Selected, then click OK.
- Close EMET.
FAQ
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could compromise the sandbox of a vulnerable application and gain access to the affected system with the rights of the logged-on user. If a user on an affected system is logged in with administrative rights, an attacker could then install programs; view, change or delete data; or create new accounts with full administrative rights.
How could an attacker exploit the vulnerability?
In an attack scenario, an attacker would have to convince the user to open a specially crafted file that would invoke the vulnerable sandboxed application, resulting in a compromise of the sandbox policy. The attacker could then run a program with the privileges of the logged on user.
What systems are primarily at risk from the vulnerability?
Any system running the affected versions of Microsoft IME (Japanese), including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Does the Enhanced Mitigation Experience Toolkit (EMET) help mitigate attacks that could attempt to exploit these vulnerabilities?
Yes. EMET enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit vulnerabilities in a given piece of software. EMET helps to mitigate this vulnerability in Microsoft IME on systems where EMET is installed and configured.
For more information about EMET, see The Enhanced Mitigation Experience Toolkit.
Security Update Deployment
For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (November 11, 2014): Bulletin published.
Page generated 2015-01-14 12:00Z-08:00.