This month Microsoft is publishing 14 bulletins with new versions and patches for its software, operating systems and applications. This is one fewer bulletin than Microsoft had announced last week.
The most important bulletin MS14-064 addresses a current 0-day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been abusing the vulnerability to gain code execution by sending PowerPoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060) that should address all known exploit vectors. Highly recommended and our top patch this week.
MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could be used to gain control over the targeted machine. An attack will take the form of a malicious webpage that the targeted user has to browse to.
There are two basic scenarios that attackers use frequently: in the first the user browses to the site by their own volition, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site. As an example, take the recent vulnerability (CVE-2014-3704) in the Drupal content management system that exposed over 12 million sites to this type of situation. Using the vulnerability, an attacker has complete control over the site and can plant malicious pages on an otherwise innocent site.
A second scenario has the attacker set up a new site and then direct traffic to it through Search Engine Manipulations, i.e. sites purporting to have the latest pictures on a recent event of general or specific interest, say the Oscar Pistorius trial or the US president’s statement on Net Neutrality. MS14-066 is our second ranking patch this week. By the way, if you run Internet Explorer 10 or 11 you are also getting an automatic Adobe Flash update this month. No big surprise here as this has happened every month in 2014 so far. Users of older Internet Explorer browsers need to download their own update as linked in APSB14-24.
Our third ranking bulletin MS14-069 addresses Microsoft Word 2007 and provides fixes for a Remote Code Execution (RCE) vulnerability. The attack scenario here is a malicious document that the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that are likely interest the targets in question. If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 should place high priority on this bulletin.
Microsoft ranks highly the next bulletin MS14-066, which addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which is used for in SSL and TLS connections. The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit, it is only a matter of time and resources, and it is prudent to install this bulletin in your next patch cycle.
The remaining bulletins address a mix of different operating systems and platforms and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in IIS.
One last curious vulnerability: MS14-078 fixes a vulnerability (CVE-2014-4077) problem in a Windows component for Japanese input. The vulnerability has to be used in conjunction with another to get remote code execution. It has been attacked in the wild. Attackers send Adobe PDF documents that contain a special mal-formatted dictionary that can trigger the IME exploit. If your Adobe Reader is on the latest update set, or if you use another PDF rendering program you are not affected by the vulnerability.
Lastly, Microsoft held back one of the critical Windows vulnerabilities as it showed some last minute stability problems. It is a privately disclosed vulnerability so this should not have a major effect on your security situation, but we know we will get a least one critical Windows patch next month in December.
Author: Wolfgang Kandek, CTO, Qualys.