Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-593 on Wednesday, December 10.

 

MS14-075

Outlook Web App Token Spoofing Vulnerability CVE-2014-6319
OWA XSS Vulnerability CVE-2014-6325
OWA XSS Vulnerability CVE-2014-6326
Exchange URL Redirection Vulnerability CVE-2014-6336

MS14-080

Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
Multiple XSS Filter Bypass Vulnerabilities in Internet Explorer MULTIPLE
Internet Explorer ASLR Bypass Vulnerability CVE-2014-6368
VBScript Memory Corruption Vulnerability CVE-2014-6363

MS14-081

Invalid Index Remote Code Execution Vulnerability CVE-2014-6356
Use After Free Word Remote Code Execution Vulnerability CVE-2014-6357

MS14-082

Microsoft Office Component Use After Free Vulnerability CVE-2014-6364

MS14-083

Excel Invalid Pointer Remote Code Execution Vulnerability CVE-2014-6361
Global Free Remote Code Execution in Excel Vulnerability CVE-2014-6360

MS14-084

VBScript Memory Corruption Vulnerability CVE-2014-6363

MS14-085

Graphics Component Information Disclosure Vulnerability CVE-2014-6355

 

MS14-075

The first update this month is one that we expected to see last month. It resolves four vulnerabilities affecting Exchange and, more specifically, OWA. This includes two reflected XSS vulnerabilities, a URL redirect and a token spoofing vulnerability. According two Microsoft, both the URL redirect and the token spoofing issue could be used to send mail on behalf of the victim.

MS14-080

Up next, we have 14 CVEs fixed in this month’s Internet Explorer update. The update resolves 10 Memory Corruption Vulnerabilities, 2 XSS Filter Bypasses, an ASLR Bypass and a VBScript vulnerability. The good news with this bulletin is that, at the time of release, none of these vulnerabilities were actively exploited; this is a rare occurrence with IE bulletins.

Something to keep an eye on with this update is that, combined with MS14-084, they both resolve the same vulnerability. VBScript 5.6 and 5.7 users will get their update from MS14-084. VB Script 5.8 will get their update from MS14-084 if they are using Internet Explorer 8 but they’ll get it from this bulletin IE9 or IE10.

MS14-081

Another typical Microsoft update, the first of three Office bulletins this month resolves two issues affecting Microsoft Word. In addition to Word, SharePoint Server’s Word Automation Services and Office Web Apps are both affected.

MS14-082

The second Office bulletin this month resolves a vulnerability in Word related to file parsing. Additionally, it enables ASLR for the Microsoft Common Controls (MSCOMCTL) library.

MS14-083

The final Office bulletin this month resolves two vulnerabilities in Microsoft Excel. Like the two bulletins listed above, this is a rather typical Microsoft vulnerability.

MS14-084

MS14-084 is the partner to the VBScript vulnerability in MS14-080. This bulletin targets older versions of VB Script that are not bundled with IE.

It’s important to keep in mind that the table provided in the Microsoft bulletin that states that MS14-080 is not applicable to VBScript 5.6, 5.7, and 5.8 (with IE 8); the update refers specifically to the VBScript vulnerability and not the Internet Explorer bulletin as a whole. MS14-080 will still apply to your system; it simply won’t resolve the VBScript vulnerability when it is installed.

MS14-085

The final bulletin this month resolves a JPEG parsing vulnerability that could allow attackers to bypass ASLR. While the direct risk from this vulnerability is minimal, the real risk comes when it is chained with other vulnerabilities.

Additional Information

Adobe has released updates for Flash (APSB14-027) and Reader/Acrobat (APSB14-028) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[1].

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


 

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS14-085 MS14-080
MS14-081
MS14-082
MS14-083
MS14-084
MS14-075
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged