Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, October 2014

Today is the October Microsoft Patch Tuesday, and it addresses eight separate bulletins. Three bulletins are rated Critical and five are rated Important. Surprising no one, Internet Explorer is back with another Critical bulletin patching fourteen separate vulnerabilities. The spotlight of this release is MS14-060 (CVE-2014-4114). This 0-day vulnerability in the OLE package manager is being actively exploited in the wild in a campaign dubbed Sandworm. More details about it below.

The other vulnerabilities involve another bug in the Windows Kernel Mode Driver. The last fix for KMD back in August was pulled and re-released due to issues causing a blue screen on certain installations. Hopefully similar issues won't be seen this month. Another interesting vulnerability this month is in the Windows FAT32 driver. Although physical access is required to exploit the vulnerability, exploitation would result in arbitrary code execution with elevated privilege.

MS14-056 (KB2987107)
CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4140, CVE-2014-4141
Cumulative Security Update for Internet Explorer

This security update resolves fourteen privately reported vulnerabilities in Internet Explorer, the majority of which are memory corruption issues. The most severe of these vulnerabilities could allow remote code execution and another allows for the bypass of ASLR memory protection. An attacker could exploit these vulnerabilities by convincing their victim to browse to a specially crafted webpage using Internet Explorer.

This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients and servers.

MS14-057 (KB3000414)
CVE-2014-4073, CVE-2014-4121, CVE-2014-4122
Vulnerabilities in .NET Framework Could Allow Remote Code Execution

This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities rests in how the .NET framework parses internationalized resource identifiers (iriParsing). The incorrect parsing allows for memory corruption which an attacker could use for remote code execution. The iriParsing functionality is disabled by default in .NET 4.0 applications, while in .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled. The other two vulnerabilities allow for a bypass of ASLR memory protections and escalation of user privilege.

This security update is rated Critical for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows


MS14-058 (KB3000061)
CVE-2014-4113, CVE-2014-4148
Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution

The final Critical bulletin in this release patches two vulnerabilities in the Windows Kernel-Mode Driver. The first vulnerability allows for privilege escalation for a currently logged in user due to memory corruption. The second vulnerability allows for arbitrary remote code execution because of the mishandling of TrueType fonts. To exploit the RCE vulnerability an attacker would need the victim to simply view a document with a maliciously crafted TrueType font. This could be a webpage or any office document.

This security update is rated Critical for all supported releases of Microsoft Windows.


MS14-059 (KB2990942)
Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass

This bulletin patches a cross site scripting (XSS) vulnerability in ASP.NET MVC. An attacker could exploit this vulnerability by injecting their own malicious code into websites running ASP.NET MVC. The attacker would then need to convince a victim to access the site in order to have the malicious code executed. XSS vulnerabilities are often dismissed with a lowered severity, but you only need to look at the Browser Exploitation Framework (BeEF) ( to see what attackers can do with XSS.

This security update is rated Important for ASP.NET MVC 2, ASP.NET MVC 3, ASP.NET MVC 4, ASP.NET MVC 5, and APS.NET MVC 5.1.

MS14-060 (KB3000869)
Vulnerability in OLE Could Allow Remote Code Execution

This vulnerability was discovered by iSIGHT Partners in conjunction with their ongoing investigation of a gang of Russian based criminals dubbed the Sandworm Team. The name comes from a multitude of references to Frank Herbert's amazing science fiction series, Dune. The group has been found targeting organizations in Russia, EU, and the USA since at least 2009. Targets included the North Atlantic Treaty Organization (NATO) and numerous Utility and Telecommunications companies. In this specific case the gang was caught targeting organizations with a spear-fishing attack. The malicious document involved, a PowerPoint slide deck, exploited a previously unknown vulnerability in OLE. The vulnerability allows the attacker to execute any command. In the case of the Sandworm campaign, the criminals were dropping at least two variants of the BlackEnergy malware. BlackEnergy is bot based malware with a plugin architecture that lets it adapt to a variety of uses like DDoS, credential theft, or spam distribution.

Discovered by iSIGHT and dubbed SandWorm. Used in Russian spear phishing campaign targeting NATO, European Union, Telecommunications and Energy sectors

This security update is rated Important for all supported releases of Microsoft Windows.


MS14-061 (KB3000434)
Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

This bulletin patches a memory corruption vulnerability in Microsoft Word. An attacker could trigger the execution of arbitrary code by convincing their victim to open a malicious Word document. Successful exploitation occurs with the same user rights as the current user, so the risk can be lessened by restricting which users can operate with administrative access.
This security update is rated Important for supported editions of Microsoft Word 2007, Microsoft Office 2007, Microsoft Word 2010, Microsoft Office 2010, Microsoft Office for Mac 2011, Microsoft Office Compatibility Pack, Word Automation Services, and Microsoft Office Web Apps Server 2010.

MS14-062 (KB2993254)
Vulnerability in Message Queuing Service Could Allow Elevation of Privilege

This bulletin patches a vulnerability in the Microsoft Windows Message Queuing service. By sending a specially crafted input/output control (IOCTL) request to the Message Queuing service and attacker can gain unrestricted access to a vulnerable system. The Message Queuing service is not installed on any affected operating system by default and can only be enabled by an administrative account.
This security update is rated Important for all supported editions of Windows Server 2003.


MS14-063 (KB2998579)
Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege

This bulletin patches a vulnerability in how Windows deals with FAT32 partitions. A vulnerability in the FASTFAT driver allows for arbitrary code execution with elevated privileges. When using the FASTFAT driver a specific function causes a buffer under-allocation. This under-allocation allows an attacker to write arbitrary code to memory locations normally reserved by Windows. Although an attacker would need to be physically access a vulnerable system to exploit this vulnerability, an attack could be pulled off with a simple FAT32 formatted USB stick.
This security update is rated Important for all supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008.

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More