Microsoft Patch Tuesday, December 2014

December's Microsoft Patch Tuesday is upon us and, hopefully, marks the last batch of bulletins for 2014. Although not as big as November's release, it still clocks in with three Critical and four Important bulletins. Internet Explorer is back with fourteen vulnerabilities, the majority of which are critical memory corruption vulnerabilities. That means there were critical vulnerabilities patched in Internet Explorer every month this year except for January. In all, over 200 vulnerabilities were patched in Internet Explorer in 2014, and the majority were rated critical. The other two critical vulnerabilities affect Microsoft Word and the VBScript scripting engine.

This release also patches MS14-075, which was slated for November but listed as "Release date to be determined" until today. The bulletin patches four vulnerabilities in Microsoft Exchange that can result in privilege escalation.

MS14-075
Important
CVE-2014-6319, CVE-2014-6325, CVE-2014-6326, CVE-2014-6336
Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege

This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web Access site. The vulnerability allows the attacker to gather enough OWA token information to spoof a valid user's token and send spoofed email as that user. Two other vulnerabilities patch a XSS hole in OWA and the fourth vulnerability patched would allow an attacker to redirect their victim to an arbitrary domain.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.


MS14-080
Critical
CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966
Cumulative Security Update for Internet Explorer

This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update affects Internet Explorer 6 (IE 6) through Internet Explorer 11 (IE 11) on affected Windows clients and servers.


MS14-081
Critical
CVE-2014-6356, CVE-2014-6357
Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution

This security update resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Both vulnerabilities are due to how Microsoft Word handles objects in memory.

This security update is rated Critical for all supported editions of Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, Microsoft Office for Mac 2011, Microsoft Word Viewer, Microsoft Office Compatibility Pack, and for affected Microsoft Office services and Web Apps on supported editions of Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, and Microsoft Office Web Apps Server 2013.


MS14-082
Important
CVE-2014-6364
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. This vulnerability is similar to the MS Word memory vulnerabilities in MS14-081, but affects all Office documents.

This security update is rated Important for all supported editions of Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2013 RT.


MS14-083
Important
CVE-2014-6360, CVE-2014-6361
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

This security update resolves two privately reported vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. Like MS14-080 and MS14-082 this vulnerability is due to memory mismanagement.

This security update is rated Important for all supported editions of Microsoft Excel 2007, Microsoft Excel 2010, Microsoft Excel 2013, Microsoft Excel 2013 RT, Microsoft Office Excel Viewer, and Microsoft Office Compatibility Pack.


MS14-084
Critical
CVE-2014-6363
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website with Internet Explorer. It could also be exploited via a specially crafted Office document designed to invoke the IE rendering engine. The security update addresses the vulnerability by modifying how the VBScript scripting engine handles objects in memory.

This security update is rated Critical for affected versions of the VBScript scripting engine on affected Windows clients and Moderate for affected versions of the VBScript scripting engine on affected Windows servers.


MS14-085
Important
CVE-2014-6355
Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure

This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system. The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR).

This security update is rated Important for all supported releases of Microsoft Windows.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.