TechTarget has leased an article outlining the Windows updates along with the benefits of installing them. We strongly recommend installing them as soon as possible.
Microsoft’s monthly Patch Tuesday releases had been unremarkable for most of 2014. A busy October iteration saw activity pick up though as four zero-day vulnerabilities were addressed, and now the November Patch Tuesday batch has delivered the heftiest patch haul of the year, with four critical fixes and 14 total bulletins.
The most pressing bulletin in this month’s release, MS14-064, features a fix for CVE-2014-6352, which describes a vulnerability in the Windows Object Linking and Embedding (OLE) packager that Microsoft said has been used in limited attacks. If exploited, the flaw can be utilized by attackers to take complete control of a system remotely.
Amol Sarwate, director of engineering for Qualys Inc., based in Redwood City, Calif., said that attackers have been spotted using malicious PowerPoint presentations to exploit the issue described in CVE-2014-6352, though users could also be tricked into visiting websites hosting exploit code.
If that vulnerability sounds familiar, Sarwate said it’s because the flaw originally stemmed from weaknesses related to MS14-060, a bulletin issued in October that was meant to mitigate CVE 2014-4114 — the so-called “Sandworm” OLE vulnerability.
According to an October blog post by researchers with Intel Corp.’s McAfee business unit, those who had installed the MS14-060 fix were inadvertently put at risk. After realizing that the bulletin was incomplete, Microsoft provided a “Fix it” tool to temporarily mitigate the issue as part of Security Advisory 3010060, though the new patch should fully address any lingering issues.
“Whenever an exploit is used in targeted attacks, it’s pretty easy for other exploit writers to reverse it and writer their own exploits,” said Sarwate, adding that implementing MS14-064 should be the chief priority for administrators this month. “Who knows, someone may have already reversed it and is already targeting some other person of interest.”
Craig Young, security researcher for Tripwire Inc., based in Portland, Oregon, said that the next most important patch this month is MS14-066, which addressed a privately reported vulnerability in Microsoft’s Secure Channel (Schannel) security package — essentially the company’s internal version of SSL/TLS. The Microsoft bulletin stated that the Schannel flaw, CVE-2014-6321, was the result of “improper processing of specially crafted packets.”
If successfully exploited, Young said the flaw could allow unauthenticated attackers to execute arbitrary code on desktop systems with RDP-enabled Web applications using IIS for HTTPS, and many other Microsoft products.
Between Heartbleed and Shellshock, Young noted that 2014 has already been a banner year for SSL vulnerabilities, but CVE-2014-6321 may yet be the worst of the bunch because of the large number of systems potentially affected. As a result, Young said that some admins should consider MS14-066 a higher priority than this month’s cumulative Internet Explorer patch.
“Heartbleed was less powerful because it was ‘just’ an information disclosure bug and Shellshock was remotely exploitable only in a subset of affected systems,” said Young. “Fortunately, Microsoft’s assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give admins enough time to patch their systems before we see exploits.”
Out of the two remaining critical bulletins this month, Sarwate said that MS14-065, the cumulative IE patch, should be the priority for most organizations. The bulletin addresses a total of 17 unique vulnerabilities across all supported versions of Microsoft’s Web browser, the most severe of which could allow attackers to gain the same privileges as a current user and to remotely execute code.
This month’s final critical bulletin, MS14-067, addressed a private vulnerabilities across several supported versions of Windows and Windows Server that could allow arbitrary code to be executed. The flaw is the result of Microsoft’s XML Core Services (MSXML) improperly parsing XML content, and can be triggered by attackers tricking IE users to visit malicious websites.
Though the November Patch Tuesday is the largest of 2014, Microsoft’s original release plan actually included two more bulletins — MS14-068 and MS14-075 – that didn’t make the cut. MS14-068 was meant to be a critical bulletin that addressed an undisclosed flaw in Microsoft Exchange.
Tyler Reguly, manager of security research and development at Tripwire, said that while Microsoft commonly pulls unfinished patches as part of its QA process, it is odd for the numbering used for the bulletins to remain unchanged. “This means that we’ll likely see both of these bulletins released next month, and they will be out of order from the other bulletins,” said Reguly.
Out of the remaining 10 bulletins in the November 2014 Patch Tuesday release, eight were rated as important and two as moderate. The vulnerabilities included in those bulletins spanned the range of Microsoft’s products, including Windows, Office, .NET Framework and Windows Server.