November 2014 Patch Tuesday

This month brings a massive number of bulletins and vulnerabilities covering a wide array of Microsoft products. As with most months some of the more critical vulnerabilities to patch immediately are within Internet Explorer and kernel privilege escalation vulnerabilities. There are also a lot of other unique vulnerabilities that will vary on criticality depending on your environment so please read below to determine what to patch first, and as always, if you have any questions do not hesitate to contact our research group directly. MS14-064 – OLE suffers from a couple of vulnerabilities this month. This can allow for code execution in the context of the currently logged on user via Internet Explorer or Microsoft Office. You can help mitigate this vulnerability by making sure users are not running as Administrator. MS14-065 – Patches 17 different vulnerabilities within Internet Explorer. This continues the monthly trend of a massive number of critical IE vulnerabilities being fixed. Also this month beyond your standard code execution vulnerabilities is the ability to bypass ASLR which as we have covered in previous months is a helpful security bypass feature, for attackers of course. Same story here on removing Administrator privileges being a helpful mitigation so that attackers are left executing with lower privileges in some scenarios. MS14-066 – Is a vulnerability within Schannel that can allow for remote code execution against Windows servers. This bulletin does not include many details so we will probably take a closer look to see what is under the hood on this one. MS14-067 – Affects XML Core Services 3.0 which again allows for code execution in the context of the currently logged on user. Wait for it … Have you removed Admin privileges from standard accounts in your environment? Surely your sales department is still not local admin and therefore making an attacker’s job even easier? MS14-068 – Microsoft seems to have pushed back the release date on this bulletin as currently they simply say; Release date to be determined. MS14-069 – Covers 3 different Microsoft Office vulnerabilities that allow for remote code execution against systems. This vulnerability affects older components and Office 2007 and is a great reminder of making sure you are running the latest major version release of software from Microsoft. And this vulnerability also allows for execution of code as the currently logged on user rights. You know what that means… MS14-070 – This fixes a publicly disclosed vulnerability in TCP/IP which allows for an attacker to run code in the context of another process. This can be used therefore to elevate privileges on systems where an attacker already has access to go from standard user account to having full access to a system. MS14-071 – Even Windows Audio has a vulnerability this month and it is an interesting one. An attacker cannot directly use this vulnerability so much as it is great when combined with another vulnerability that would normally result in execution as a low integrity process. Such as the case in a lot of Internet Explorer vulnerabilities one could combine this to then elevate their privileges to execute in Medium Integrity within Internet Explorer to therefore have further access to a system. MS14-072 - .NET Remoting can lead to an elevation of privilege. This is a vulnerability that is going to affect some types of custom .NET applications that specifically leverage .NET Remoting. Microsoft suggests moving to more modern communications technologies such as WCF and we could not agree more. MS14-073 – Another Patch Tuesday another SharePoint vulnerability. This is similar to previous vulnerabilities that we have seen that result in elevation of privilege against SharePoint. Essentially allowing an attacker to execute browser script code in the same context of the currently logged on SharePoint user. MS14-074 – Represents a unique vulnerability within RDP that can allow an attacker to bypass audit logging events. What this means is that an attacker could brute force passwords against RDP without actually triggering any failed login authentication audits. This isn’t the most critical of vulnerabilities this month but as we have seen a lot of RDP brute force attacks in the past it is one to make sure to patch. MS14-075 – Microsoft seems to have pushed back the release date on this bulletin as currently they simply say; Release date to be determined. MS14-076 – Fixes a vulnerability within Microsoft IIS that can be used to bypass the IP and Domain restrictions feature of IIS. This specifically means if you had setup an IIS website to block specific IP’s or Domains that an attacker could bypass that restriction and connect to your IIS website anyways. Hopefully you are not only counting on this feature alone though to control network level access to your IIS websites… MS14-77 – Active Directory Federation Services suffers from an information disclosure vulnerability in which if a user fails to properly log off it a session an attacker can later reopen the application to get user details. This is not a critical attack but is interesting that such a basic type of vulnerability was left around in ADFS. MS14-078 – IME for Japanese is vulnerable to a privilege escalation vulnerability. Any sandboxed application can be broken out of and this vulnerability is made worse by environments where applications and users are given local administrator access. This vulnerability is nuanced but there have been reporters of limited attacks in the wild according to Microsoft. MS14-079 – What would a Patch Tuesday month be without ending things off with yet another Kernel-Mode Driver – TrueType font vulnerability? Luckily this month the vulnerability is a denial of service that results in a system stopping responding or restarting vs. code execution. That being said however an attacker can deliver the attack via network shares, websites, or emails and while some user interaction is required it is still a straight forward path to DoS in some scenarios but shouldn’t matter in the real world as you are not surfing the web and reading email on your servers’ right? The following vulnerability audits have been released in audits revision 2849: [MS14-064] - Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) 43610 - Microsoft Windows OLE Remote Code Execution (3011443) - KB3006226 43612 - Microsoft Windows OLE Remote Code Execution (3011443) - KB3010788 [MS14-065] - Cumulative Security Update for Internet Explorer (3003057) 43620 - Microsoft Cumulative Security Update for Internet Explorer (3003057) [MS14-066] - Vulnerability in Schannel Could Allow Remote Code Execution (2992611) 43608 - Microsoft Schannel Remote Code Execution Vulnerability (2992611) [MS14-067] - Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) 43616 - Microsoft XML Core Services Remote Code Execution (2993958) - 2003 43617 - Microsoft XML Core Services Remote Code Execution (2993958) - Vista/2008 43618 - Microsoft XML Core Services Remote Code Execution (2993958) - 7/2008R2/8/2012 43619 - Microsoft XML Core Services Remote Code Execution (2993958) - 8.1/2012R2 [MS14-069] - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) 43622 - Microsoft Office Remote Code Execution (3009710) - Office 2007 43624 - Microsoft Office Remote Code Execution (3009710) - Compatibility Pack 43639 - Microsoft Office Remote Code Execution (3009710) - Word Viewer 43641 - Microsoft Office Remote Code Execution (3009710) - Word Viewer x64 43642 - Microsoft Office Remote Code Execution (3009710) - Compatibility Pack x64 [MS14-070] - Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) 43613 - Microsoft TCP/IP Elevation of Privilege Vulnerability (2989935) [MS14-071] - Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) 43614 - Microsoft Audio Service Privilege Escalation (3005607) [MS14-072] - Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) 43625 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978114 43626 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978124 43627 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978125 43628 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978116 43629 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978128 43630 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978120 43631 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978121 43632 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978127 43633 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978122 43634 - Microsoft .NET Framework Elevation of Privilege (3005210) - KB2978126 [MS14-073] - Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431) 43638 - Microsoft SharePoint Foundation Elevation of Privilege (3000431) [MS14-074] - Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) 43611 - Microsoft Remote Desktop Protocol Security Feature Bypass (3003743) [MS14-076] - Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) 43607 - Microsoft Internet Information Services (IIS) Security Feature Bypass (2982998) [MS14-077] - Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) 43615 - Microsoft ADFS Information Disclosure (3003381) - 2012/2012R2 43643 - Microsoft ADFS Information Disclosure (3003381) - 2008/2008R2 [MS14-078] - Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719) 43621 - Microsoft IME (Japanese) Elevation of Privilege (2992719) - Vista/2K8/7/2K8R2 43623 - Microsoft IME (Japanese) Elevation of Privilege (2992719) - 2003 43640 - Microsoft IME (Japanese) Elevation of Privilege (2992719) - Office 2007 [MS14-079] - Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885) 43609 - Microsoft Kernel-Mode Driver Denial of Service (3002885)