Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-589 on Wednesday, November 12th.

MS14-064

Windows OLE Automation Array Remote Code Execution Vulnerability CVE-2014-6332
Windows OLE Remote Code Execution Vulnerability CVE-2014-6352

MS14-065

Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
Multiple Elevation of Privilege Vulnerabilities in Internet Explorer MULTIPLE
Multiple Internet Explorer Cross-domain Information Disclosure Vulnerabilities MULTIPLE
Internet Explorer Clipboard Information Disclosure Vulnerability CVE-2014-6323
Internet Explorer ALSR Bypass Vulnerability CVE-2014-6339

MS14-066

Microsoft Schannel Remote Code Execution Vulnerability CVE-2014-6321

MS14-067

MSXML Remote Code Execution Vulnerability CVE-2014-4118

MS14-069

Microsoft Office Double Delete Remote Code Execution Vulnerability CVE-2014-6333
Microsoft Office Bad Index Remote Code Execution Vulnerability CVE-2014-6334
Microsoft Office Invalid Pointer Remote Code Execution Vulnerability CVE-2014-6335

MS14-070

TCP/IP Elevation of Privilege Vulnerability CVE-2014-4076

MS14-071

Windows Audio Service Vulnerability CVE-2014-6322

MS14-072

TypeFilterLevel Vulnerability CVE-2014-4149

MS14-073

SharePoint Elevation of Privilege Vulnerability CVE-2014-4116

MS14-074

Remote Desktop Protocol (RDP) Failure to Audit Vulnerability CVE-2014-6318

MS14-076

IIS Security Feature Bypass Vulnerability CVE-2014-4078

MS14-077

Active Directory Federation Services Information Disclosure Vulnerability CVE-2014-6331

MS14-078

Microsoft IME (Japanese) Elevation of Privilege Vulnerability CVE-2014-4077

MS14-079

Denial of Service in Windows Kernel Mode Driver Vulnerability CVE-2014-6317

MS14-064

The vulnerabilities patched in the first bulletin of November are likely related to the issue patched last month in MS14-060, as the issue affects Microsoft Windows Object Linking and Embedding (OLE). According to the Microsoft Security & Defense blog, CVE-2014-6352 has been used in targeted attacks in the wild. For those that are unable to patch immediately, Microsoft has provided a Fix it solution. Additionally, Microsoft recommends enabling UAC to mitigate attacks of this nature and has released XML to block this vulnerability using the Attack Surface Reduction feature of EMET 5.0.

MS14-065

Up next, we have the Internet Explorer update for November. None of the updates patched this month are currently being exploited, which may explain why it isn’t at the top of the Microsoft priority list this month. As always though, this patch should be applied as soon as possible.

MS14-066

The third critical bulletin this month addresses a remote code execution issue with Microsoft Schannel, the implementation that provides SSL capabilities to Microsoft and some third party products. Given how important Schannel is, this is a critical vulnerability and even though it was listed second in the propriety list this month, for month people this will be the item that tops the list when installing patches. The SR&D Blog indicates that this was found internally during a security assessment, so patching sooner rather than later means there’s less time for exploits to find their way into the hands of attackers.

MS14-067

MS14-067 describes a single vulnerability affecting Microsoft XML Core Services 3.0 that could be targeted via a web-based drive by attack. The bulletin provides a number of ActiveX killbits that can be set to eliminate the web-based attack vector for this vulnerability.

MS14-069

The next bulletin this month provides updates for Microsoft Office, specifically Microsoft Word. Users of newer office platforms will be happy to learn that the three vulnerabilities in this bulletin only affect Word 2007, however users of the Office Compatibility Pack or Word Viewer are also affected. Word Viewer is often overlooked on systems, so be sure you’re aware of all installed attack vectors on your system.

MS14-070

This bulletin describes a single vulnerability affecting TCP/IP that could allow an authenticated user to elevate their privileges. The upside is that only Windows Server 2003 is affected by this vulnerability.

MS14-071

MS14-071 affects Windows 6 operating systems (Vista and newer) and describes a privilege escalation vulnerability in the Windows Audio Service. While direct code execution isn’t possible, the Windows Audio Service fails to properly validate permissions which could allow script execution in an unexpected user context, leading to the elevate their privileges.

MS14-072

.NET bulletins have become an expected part of the Microsoft patch drop and this month doesn’t disappoint. However, this month the single vulnerability bulletin is accompanied by a blog post detailing Microsoft .NET Remoting, the source of this privilege escalation, and how to better secure it. If you’re using .NET Remoting, you should give this post a read.

MS14-073

SharePoint Server 2010 is the affected product listed in MS14-073 but the upside is that authentication is required to effectively exploit this Cross-Site Scripting issue, which could lead to code running in the context of another user. Administrators with SharePoint Servers should review this bulletin and install the updates mentioned. Note that SharePoint Server 2013 is not affected, another example of how staying up-to-date can be beneficial.

MS14-074

This bulletin will probably rank at the bottom of most people’s lists this month when deciding patch installation priority. MS14-074 is a Remote Desktop Protocol bulletin that describes a flaw that affects audit logging. While the bulletin is classed as a security feature bypass (similar to ASLR bypass issues), it will have minimal impact unless you regularly audit your RDP implementations for failed login attempts.

MS14-076

Another security feature bypass, this month’s IIS bulletin describes a vulnerability in the ‘IP and Domain Restriction’ Filtering list on IIS 8 and 8.5. The vulnerability does not impact IP Restriction filtering but it does impact domain name filtering when wildcards are used. In a move away from their standard patch delivery method, only users with IP and Domain Restriction filtering enabled will receive this update.

MS14-077

MS14-076 was an unexpected update when you consider the nature of an update. If a user logs off a browser session and leaves their browser open, an attacker could use the browser to log back in. This issue would be fixed by many vendors as a typical product update rather than the issuing of a security bulletin, which should, partially, at least, indicate Microsoft’s commitment to security.

MS14-078

This update resolves a vulnerability in the Microsoft Japanese Input Method Editor (IME). Microsoft has indicated on the SR&D blog that this attack was used in-the-wild as a sandbox escape for Adobe Reader exploits.

MS14-079

The final bulletin of the month is an odd item to find at the bottom of Microsoft priority list and our bulletin. Normally, win32k.sys bulletins have a high priority but in a rare turn of events, privilege escalation is not possible with this vulnerability and the result is simply a blue-screen-of-death. This is definitely one of the lowest priority issues this month.

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
MS14-064
MS14-078
Extremely Difficult
No Known Exploit
MS14-074
MS14-076
MS14-077
MS14-079 MS14-065
MS14-067
MS14-069
MS14-071
MS14-072
MS14-073
MS14-070 MS14-066
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged