December’s Patch Tuesday brings us seven advisories, three of which are listed as Critical. Depending on how you want to count it, we see a total of 24 or 25 CVEs because one of the Internet Explorer CVEs in MS14-080 overlaps with the VBScript CVE in MS14-084.
Of the critical issues, MS14-080 has the broadest scope, with 14 CVEs. None of which are publicly disclosed or known to be under active exploit. The shared CVE with MS14-084 presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE. Systems without IE will only be offered the MS14-084 patch. Systems with IE 8 and older will be offered the MS14-080 AND the MS14-084 patch. Systems with IE 9 or later will not be offered the MS14-084 patch because the issue is addressed by the MS14-080 patch. Clear as mud, right?
MS14-081 is also marked Critical. In most cases this type of issue would only be important, because typically a document format use-after-free issue requires user interaction to exploit, but in this case because of the potential for exploitation through SharePoint Web Apps the risk is greater.
We also see the better-late-than-never patch for MS14-075 covering 4 CVEs in all supported versions of MS Exchange. This patch addresses two Outlook Web Access Cross Site Scripting issues, a web application token spoofing issue, and an issue with Exchange URL redirection. Even though only tagged important, the presence of MS Exchange on the perimeter and the potential for this type of attack to be combined with stolen credentials and other malicious behavior will make it a patching priority.
The Important Windows issue (MS14-085) is an Information Disclosure vulnerability in Microsoft Graphics component affecting all support OS versions. This vulnerability would allow a maliciously crafted JPEG file to be used to help predict memory offsets in a given callstack. This vulnerability has been publicly disclosed, and although not known to be involved in active attack, could be flying under the radar as this is something that is only used in conjunction with other attacks to make them more effective.
The remaining issues Important Remote Code Execution issues in Office and Excel (MS14-082 & MS14-083) which fall below the Critical risk level, because user interaction such as opening a malicious document is required for exploit.
Top patching priority will no doubt be the MS14-080 & MS14-084, followed by MS14-081 and then MS14-075.
Microsoft has also re-release advisories for MS14-065 & MS14-066 which will update the patches for systems which have not already received them.
In conjunction with Adobe’s release of APSB14-28, Microsoft will be releasing an advisory and flash patch updates for versions of Windows which embed Flash. APSB14-28 addresses 20 CVEs, with an aggregate rating of Critical for Windows and Mac users.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.