This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some sort of kernel privilege escalation vulnerability, as we commonly see. The Internet Explorer vulnerabilities are of course the ones to patch first followed by the Office related vulnerabilities. Looking forward to 2015 and seeing what vulnerabilities await for us and how things shape up with Windows 8 having some distance on it now and Windows 10 looming around the corner.
MS14-075 – This bulletin was originally supposed to be released along with other security bulletins back in November. It is finally seeing the light of day now as a fix for Microsoft Exchange server that can allow attackers to send email that appears from other users. This is in particular a problem for OWA and a good reminder to be careful where you hang OWA servers off the Internet. Secondarily this bulletin fixes some XSS flaws.
MS14-080 – Internet Explorer makes its monthly Patch Tuesday rounds with this month seeing over 14 privately reported vulnerabilities resolved. Indeed this is another big patch that covers most all supported versions of Internet Explorer with bugs severe enough for Remote Code Execution. And what would an Internet Explorer bulletin be without also including an ASLR bypass.
MS14-081 – Microsoft Word and Office Web Apps also get some fix ups this Patch Tuesday. These vulnerabilities can lead to Remote Code Execution in the context of the currently logged on user. So as always we hope you have implemented least privilege in your environment and users are not running with Administrator level privileges; local or otherwise. This affects even the latest major version releases of Office which is not always typical.
MS14-082 – Another Microsoft Office Word related vulnerability that also leads to remote code execution. And this also affects even the latest major version release of Office. See above.
MS14-083 – And here we have yet another Microsoft Office vulnerability this time in Excel. And indeed this also affects even the latest major release version. Also results in remote code execution in the context of the currently logged on user and so running with least privilege will be helpful here also.
MS14-084 – This bulletin contains a fix for a VBScript Engine remote code execution flaw. This vulnerability can be useful in web-based drive-by attack scenarios. Given this is a client-application vulnerability it also results in code execution in the context of the currently logged on user – which none of your users are hopefully.
MS14-085 – Probably one of the more interesting bulletins from a technical perspective this resolves a weakness within Windows JPEG processing that can result in information disclosure. This bug itself does not result in code execution but rather is helpful for an attacker that is trying to bypass ASLR protection schemes as part of a larger overall exploit.
The following vulnerability audits have been released in audits revision 2857:
[MS14-075] - Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
43868 - Microsoft Exchange Server Privilege Escalation (3009712) - KB2996150 - 2007
43871 - Microsoft Exchange Server Privilege Escalation (3009712) - KB2986475 - 2010
43873 - Microsoft Exchange Server Privilege Escalation (3009712) - KB3011140 - 2013 SP1
43915 - Microsoft Exchange Server Privilege Escalation (3009712) - KB3011140 - 2013 CU6
[MS14-080] - Cumulative Security Update for Internet Explorer (3008923)
43859 - Microsoft Cumulative Security Update for Internet Explorer (3008923)
[MS14-081] - Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
43866 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2920793
43867 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2899519
43869 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2910916
43870 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB3018888
43872 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2899581
43874 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2899518
43875 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2889851
43878 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2883050
43879 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2910892
43880 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2920729
43881 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2920792
43890 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2920729 x64
43893 - Microsoft Word and Office Web Apps Remote Code (3017301) - KB2920792 x64
[MS14-082] - Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
43896 - Microsoft Office Remote Code Execution (3017349) - 2007
43897 - Microsoft Office Remote Code Execution (3017349) - 2007 x64
43898 - Microsoft Office Remote Code Execution (3017349) - 2010
43899 - Microsoft Office Remote Code Execution (3017349) - 2010 x64
43900 - Microsoft Office Remote Code Execution (3017349) - 2013
43901 - Microsoft Office Remote Code Execution (3017349) - 2013 x64
[MS14-083] - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
43860 - Microsoft Excel Remote Code Execution (3017347) - KB2984942 - Excel 2007
43861 - Microsoft Excel Remote Code Execution (3017347) - KB2910902 - Excel 2010
43862 - Microsoft Excel Remote Code Execution (3017347) - KB2910929 - Excel 2013
43864 - Microsoft Excel Remote Code Execution (3017347) - KB2920790 - Compatibility
43865 - Microsoft Excel Remote Code Execution (3017347) - KB2920790 - Compatibility x64
[MS14-084] - Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
43876 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012168
43877 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012172 - 2003
43887 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012172 - Vis/2008
43888 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012176 - 2003
43889 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012176 - Other
43891 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012172 - CORE
43892 - Microsoft VBScript Scripting Engine Remote Code Execution - KB3012176 - CORE
[MS14-085] - Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
43882 - Microsoft Graphics Component Information Disclosure (3013126)
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.