November 2014 Patch Tuesday: Microsoft released 4 critical fixes, 14 total updates

Lucky you; Microsoft released 14 security patches, four rated critical, eight rated important and two rated as moderate. It was supposed to be 16, but in a switcheroo, two of the security bulletins did not come out with patches yet. Instead, both MS14-068 and MS14-075 are noted as “release date to be determined.”

Expect to reboot as you deploy the fixes for 33 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).”

According to Microsoft Security Research and Defense blog, both MS14-064 and MS14-078 have an exploitability index of 0, meaning both are currently being exploited in the wild.

Patches rated as critical

Let’s start with remote code execution fixes that are rated as critical.

MS14-064 addresses two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE); all supported versions of Windows are affected. It was given an exploitability rating of “0” since CVE-2014-6352 is being used in “limited, targeted attacks in the wild.” Microsoft noted, “An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

“Attackers have been abusing the vulnerability to gain code execution by sending Powerpoint files to their targets,” Qualys said via email. “Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors. Highly recommended and our top patch this week.”

Continuing Microsoft’s trend to patch Internet Explorer, MS14-065 fixes 17 privately reported vulnerabilities that were given a “1” for maximum exploitability, as in “more likely” to be exploited.

Also given a “1,” MS14-066 resolves one privately reported bug in Microsoft Secure Channel (Schannel) security package in Windows; all supported versions of Windows need to patch.

MS14-067 fixes one privately reported vulnerability in XML Core Services. The patch is rated critical for Vista, Windows 7, Windows 8 and 8.1, Windows RT and RT 8.1 clients. It’s rated as important for affected Windows servers 2003, 2008, 2008 R2, 2012 and 2012 R2. It ranks a “2” on the exploitability index as in regarded as “less likely” to be exploited.

Patches rated as important

Although the patches mentioned above were rated as critical fixes for remote code execution vulnerabilities, MS14-069 is rated as important to resolve three privately reported RCE vulnerabilities in supported editions of Microsoft Word 2007, Microsoft Word Viewer and Microsoft Office Compatibility Pack. It ranks as a “1” on the exploitability index.

The next four patches address elevation of privilege vulnerabilities.

MS14-070 provides Windows Server 2003 with a fix for a publicly reported vulnerability in TCP/IP that occurs during input/output control (IOCTL) processing. It was given a ranking of “2” as in “less likely” to be exploited.

All supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 need to deploy MS14-071. It resolves one privately reported vulnerability in Windows Audio service that was rated as a “2” for potential exploitability. Microsoft noted, “The vulnerability by itself does not allow arbitrary code to be run. The vulnerability would have to be used in conjunction with another vulnerability that allowed remote code execution.”

Both MS14-072 and MS14-073 were rated as a “2” on the exploitability index. MS14-072 resolves one privately reported hole in Microsoft .NET Framework that an attacker could exploit by sending specially crafted data to affected workstations or servers that use .NET Remoting.

MS14-073 addresses one privately reported Cross Site Scripting vulnerability in Microsoft SharePoint Server. According to Microsoft, if an attacker tricks or otherwise convinces a user to visit a malicious site or open an email attachment, then “an authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site.”

MS14-074 and MS14-076 are rated as important due to Security Feature Bypass flaws, but both were given a “3” on the exploitability scale, meaning exploitation is “unlikely.”

MS14-074 fixes one privately reported vulnerability in systems with Remote Desktop Protocol (RDP) enabled. “The vulnerability could allow security feature bypass when Remote Desktop Protocol (RDP) fails to properly log audit events.” RDP is not enabled by default on any Windows operating system. As an example of the vulnerability, Microsoft explained, “If a valid user logon is attempted for a user that does not have privilege to RDP into a server, that event log may not be recorded.”

MS14-076 resolves one privately reported vulnerability in “Microsoft Internet Information Services (IIS) that could lead to a bypass of the ‘IP and domain restrictions’ security feature. Successful exploitation of this vulnerability could result in clients from restricted or blocked domains having access to restricted web resources. This security update is rated Important for all supported editions of Microsoft Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 RTM.”

Listed as important due to an information disclosure risk, MS14-077 is the fix for one privately reported vulnerability in some configurations of Active Directory Federation Services. It has an exploitability of only “3” and can be exploited “if a user leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the user has logged off.”

Patches rated as moderate

Although Microsoft rated MS14-078 as moderate, the Security Research and Defense blog lists the vulnerability in Microsoft Input Method Editor (Japanese) as currently being exploited in the wild. Note that “the vulnerability could allow sandbox escape based on the application sandbox policy on a system where an affected version of the Microsoft IME (Japanese) is installed.” Platform mitigations and keynotes state, “CVE-2014-4077 used in one targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.”

Also moderate, but rated as a “3” on the exploitability index, MS14-079 fixes one privately reported vulnerability in Microsoft Windows kernel-mode driver that could allow denial of service. All supported versions of Windows are affected.

Additionally, Microsoft re-released the update for vulnerabilities in Adobe Flash Player in Internet Explorer (2755801).

Apparently Microsoft would like you to hop from page to page to page. MSRC posted here, SDR posted here, the Microsoft Security Bulletin summary for November is here and each of the 14 bulletins linked to in the article have their own page. Additionally, Microsoft announced that the update process will deliver encryption technologies currently available in Windows 8.1 and Windows Server 2012 R2 to Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.

Happy patching!