Microsoft Patch Tuesday, November 2014

Compared to previous Microsoft Patch Tuesday's, November's is a pretty big one clocking in at 14 bulletins and nearly 40 individual CVEs. This is about twice the number of bulletins we typically seen month to month. This includes 4 Critical, 8 Important and 2 Moderate rated bulletins. Among the Critical bulletins, Internet Explorer raises its head again this month with 17 individual CVEs patched in its bulletin. The majority of these are memory corruption vulnerabilities that allow for arbitrary remote code execution.

Another Critical bulletin patches CVE-2014-6352, which fell through the cracks last month. You might remember that last month one of the vulnerabilities patched was in OLE and was seen being exploited in the wild in a campaign called Sandworm. Unfortunately that bulletin didn't completely patch the vulnerability, exploits were still seen succeeding in the wild and Microsoft was forced to release an additional advisory with a Fix-It for the problem. Now that additional exploitation avenue is closed with this month's release. Two other Critical vulnerabilities exist in Microsoft XML Core Services and in the Secure Channel, or SChannel, security component.

The majority of the rest of the bulletins include multiple security bypass and escalation of privilege vulnerabilities. For instance, a security bypass vulnerability in Remote Desktop allows users to avoid audit logging of their actions. A vulnerability in the TCP/IP stack in Windows Server would allow an attacker to execute code in the context of another running process which may have more system privileges.

All in all every supported version of Microsoft Windows is affected by this release in addition to many core software components like MSXML core and the Windows Kernel Mode Driver. Admins should get ready to roll up their sleeves and keep a hot pot of coffee handy.

MS14-064
Critical
CVE-2014-6332, CVE-2014-6352
Vulnerabilities in Windows OLE Could Allow Remote Code Execution

This bulletin patches two separate vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE), including CVE-2014-6352 which previously only had Workarounds and a Fix-It as a solution. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current logged in user.

This security update affects all supported editions of Microsoft Windows.

MS14-065
Critical
CVE-2014-4143, CVE-2014-6323, CVE-2014-6337, CVE-2014-6339, CVE-2014-6340, CVE-2014-6341, CVE-2014-6342, CVE-2014-6343, CVE-2014-6344, CVE-2014-6345, CVE-2014-6346, CVE-2014-6347, CVE-2014-6348, CVE-2014-6349, CVE-2014-6350, CVE-2014-6351, CVE-2014-6353
Cumulative Security Update for Internet Explorer

This security update patches a total of seventeen vulnerabilities in all supported versions of Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. The majority of these vulnerabilities are memory corruption vulnerabilities similar to those discovered in past months.

This security update affects Internet Explorer 6 (IE 6) through Internet Explorer 11 (IE 11) on affected Windows clients and servers.

MS14-066
Critical
CVE-2014-6321
Vulnerability in SChannel Could Allow Remote Code Execution

This bulletin patches a vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This security update affects all supported editions of Microsoft Windows.

MS14-067
Critical
CVE-2014-4118
Vulnerabilities in XML Core Services Could Allow Remote Code Execution

This bulletin patches a vulnerability in Microsoft Windows XML service. The vulnerability could allow remote code execution if a user opens a specially crafted file or visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer.

The bulletin affects Microsoft XML Core Services 3.0 in all supported releases of Microsoft Windows.

MS14-069
Important
CVE-2014-6333, CVE-2014-6334, CVE-2014-6335
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This bulletin resolves three vulnerabilities in Microsoft Word 2007 in the MS Office Suite. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office 2007. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

This security update affects all supported editions of Microsoft Word 2007, Microsoft Word Viewer, and Microsoft Office Compatibility Pack.

MS14-070
Important
CVE-2014-4076
Vulnerability in TCP/IP Could Allow Elevation of Privilege

This bulletin patches a vulnerability in TCP/IP that occurs during input/output control (IOCTL) processing on Windows Server 2003. This vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could migrate arbitrary code to the context of another process. If this process runs with administrator or system privileges, an attacker could gain full control of the local system.

This bulletin affects all supported editions of Windows Server 2003.

MS14-071
Important
CVE-2014-6322
Vullnerability in Windows Audio Service Could Allow Elevation of Privilege

This patches a vulnerability in the Windows audio service component that could be exploited through Internet Explorer. The vulnerability is caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing scripts to be run with elevated privileges. The vulnerability could allow elevation of privilege if a user browses to a malicious webpage. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.

This affects all supported releases of Windows excluding Windows Server 2003.

MS14-072
Important
CVE-2014-4149
Vulnerability in .NET Framework Could Allow Elevation of Privilege

This security update patches a vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. Only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability.

This bulletin affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on supported releases of Microsoft Windows

MS14-073
Important
CVE-2014-4116
Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege

This bulletin patches a vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site. An elevation of privilege vulnerability exists when an attacker is able to execute scripts the security context of the logged-on user with greater privileges. The security update addresses the vulnerability by correcting how SharePoint Server sanitizes modified lists within SharePoint mobile browser view.

This bulletin affects supported editions of Microsoft SharePoint Server 2010.

MS14-074
Important
CVE-2014-6318
Vulnerability in Remote Desktop Protocol could allow Security Feature Bypass

This bulletin patches a vulnerability in Microsoft Windows running Remote Desktop. The vulnerability could allow security feature bypass when Remote Desktop Protocol (RDP) fails to properly log audit events. This could allow a user to avoid logging an evade detection for certain system activities. By default, RDP is not enabled on any Windows operating system.

This bulletin affects all supported releases of Microsoft Windows running Remote Desktop, excluding Windows Server 2003.

MS14-076
Important
CVE-2014-4078
Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass

This bulletin patches a vulnerability in Internet Microsoft Internet Information Services (IIS) that could lead to a bypass of the "IP and domain restrictions" security feature. Successful exploitation of this vulnerability could result in clients from restricted or blocked domains having access to restricted web resources.

This bulletin affects all supported editions of Microsoft Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 RTM.

MS14-077
Important
CVE-2014-6331
Vulnerability in Active Directory Federation Services could allow Information Disclosure

This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the user has logged off. Despite the authorized user being logged off, information about the user and session remains in the browser.

This affects the following:

  • AD FS 2.0 when installed on 32-bit and x64-based editions of Windows Server 2008
  • AD FS 2.0 when installed on x64-based editions of Windows Server 2008 R2
  • AD FS 2.1 when installed on x64-based editions of Windows Server 2012
  • AD FS 3.0 when installed on x64-based editions of Windows Server 2012 R2

MS14-078
Moderate
CVE-2014-4077
Vulnerability in IME (Japanese) Could Allow Elevation of Privilege

This bulletin patches a vulnerability in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could allow sandbox escape when an affected version of the Microsoft IME (Japanese) is installed. An attacker who successfully exploited this vulnerability could escape the sandbox of a vulnerable application and gain access to the affected system with logged-in user rights. If the affected system is logged in with administrative rights, an attacker escaping the sandbox could gain full control of the system.

This bulletin affects all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 as well as all supported editions of Microsoft Office 2007 where Microsoft IME (Japanese) is installed

MS14-079
Moderate
CVE-2014-6317
Vulnerability in Kernel-Mode Driver Could Allow Denial of Service

This bulletin patches a vulnerability in Microsoft Windows Kernel-Mode Driver. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. This is the third month since August to patch Kernel Mode Driver vulnerabilities via malicious TrueType fonts.

This bulletin affects all supported releases of Microsoft Windows.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.