alex_aldo - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Hefty November 2014 Patch Tuesday delivers four critical bulletins

The zero-day patch was one of four critical bulletins Microsoft delivered as part of its largest Patch Tuesday release of 2014; a fifth critical bulletin was dropped at the last moment.

Microsoft's monthly Patch Tuesday releases had been unremarkable for most of 2014. A busy October iteration saw activity pick up though as four zero-day vulnerabilities were addressed, and now the November Patch Tuesday batch has delivered the heftiest patch haul of the year, with four critical fixes and 14 total bulletins.

The most pressing bulletin in this month's release, MS14-064, features a fix for CVE-2014-6352, which describes a vulnerability in the Windows Object Linking and Embedding (OLE) packager that Microsoft said has been used in limited attacks. If exploited, the flaw can be utilized by attackers to take complete control of a system remotely.

Amol Sarwate, director of engineering for Qualys Inc., based in Redwood City, Calif., said that attackers have been spotted using malicious PowerPoint presentations to exploit the issue described in CVE-2014-6352, though users could also be tricked into visiting websites hosting exploit code.

If that vulnerability sounds familiar, Sarwate said it's because the flaw originally stemmed from weaknesses related to MS14-060, a bulletin issued in October that was meant to mitigate CVE 2014-4114 -- the so-called "Sandworm" OLE vulnerability.

According to an October blog post by researchers with Intel Corp.'s McAfee business unit, those who had installed the MS14-060 fix were inadvertently put at risk. After realizing that the bulletin was incomplete, Microsoft provided a "Fix it" tool to temporarily mitigate the issue as part of Security Advisory 3010060, though the new patch should fully address any lingering issues.

"Whenever an exploit is used in targeted attacks, it's pretty easy for other exploit writers to reverse it and writer their own exploits," said Sarwate, adding that implementing MS14-064 should be the chief priority for administrators this month. "Who knows, someone may have already reversed it and is already targeting some other person of interest."

Craig Young, security researcher for Tripwire Inc., based in Portland, Oregon, said that the next most important patch this month is MS14-066, which addressed a privately reported vulnerability in Microsoft's Secure Channel (Schannel) security package -- essentially the company's internal version of SSL/TLS. The Microsoft bulletin stated that the Schannel flaw, CVE-2014-6321, was the result of "improper processing of specially crafted packets."

If successfully exploited, Young said the flaw could allow unauthenticated attackers to execute arbitrary code on desktop systems with RDP-enabled Web applications using IIS for HTTPS, and many other Microsoft products.

Between Heartbleed and Shellshock, Young noted that 2014 has already been a banner year for SSL vulnerabilities, but CVE-2014-6321 may yet be the worst of the bunch because of the large number of systems potentially affected. As a result, Young said that some admins should consider MS14-066 a higher priority than this month's cumulative Internet Explorer patch.

"Heartbleed was less powerful because it was 'just' an information disclosure bug and Shellshock was remotely exploitable only in a subset of affected systems," said Young. "Fortunately, Microsoft's assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give admins enough time to patch their systems before we see exploits."

Out of the two remaining critical bulletins this month, Sarwate said that MS14-065, the cumulative IE patch, should be the priority for most organizations. The bulletin addresses a total of 17 unique vulnerabilities across all supported versions of Microsoft's Web browser, the most severe of which could allow attackers to gain the same privileges as a current user and to remotely execute code.

This month's final critical bulletin, MS14-067, addressed a private vulnerabilities across several supported versions of Windows and Windows Server that could allow arbitrary code to be executed. The flaw is the result of Microsoft's XML Core Services (MSXML) improperly parsing XML content, and can be triggered by attackers tricking IE users to visit malicious websites.

Though the November Patch Tuesday is the largest of 2014, Microsoft's original release plan actually included two more bulletins -- MS14-068 and MS14-075 – that didn't make the cut. MS14-068 was meant to be a critical bulletin that addressed an undisclosed flaw in Microsoft Exchange.

Tyler Reguly, manager of security research and development at Tripwire, said that while Microsoft commonly pulls unfinished patches as part of its QA process, it is odd for the numbering used for the bulletins to remain unchanged. "This means that we'll likely see both of these bulletins released next month, and they will be out of order from the other bulletins," said Reguly.

Out of the remaining 10 bulletins in the November 2014 Patch Tuesday release, eight were rated as important and two as moderate. The vulnerabilities included in those bulletins spanned the range of Microsoft's products, including Windows, Office, .NET Framework and Windows Server.

Microsoft releases EMET 5.1

In addition to the 14 security bulletins released today, Microsoft also offered a helping hand to organizations with Monday's release of an updated version of its Enhanced Mitigation Expert Toolkit (EMET), which the software giant often touts as a first line of defense against zero days. Microsoft said that EMET 5.1 is meant to resolve a number of compatibility issues with IE 11 and third-party applications, including Adobe Flash and Reader.

EMET 5.1 also features unnamed improvements to mitigations that, according to the vendor, "make them more resilient to attacks and bypasses." The Microsoft security tool has been a subject of interest for both attackers and researchers recently, with security vendor Bromium having reported a complete bypass of EMET's protections earlier this year.

"With all of the affected platforms and applications, as well as the release of a new Enhanced Mitigation Experience Toolkit, admins are going to have a lot of systems to patch in preparation for a solid and secure Holiday season," said Jon Rudolph, senior software engineer for Core Security.

Adobe November 2014 patch update

Separately, Adobe Systems Inc. today released a critical bulletin, APSB14-24, that resolved a total of 18 vulnerabilities across different versions of its Flash Player and AIR software. The flaws could allow attackers to take control of vulnerable systems if exploited.

Adobe urged Flash users in particular to upgrade to the latest version of the software: for Windows and Mac desktop users, and for the Flash extended support release. Microsoft also re-released Security Advisory 2755801 to fix unresolved Flash vulnerabilities in versions 10 and 11 of Internet Explorer.


Next Steps

Still need help catching up with the October 2014 Patch Tuesday? Read our coverage of last month's release, including the four zero-day vulnerabilities that Microsoft patched.

Still need help catching up with the October 2014 Patch Tuesday? Read our coverage of last month's release, including the four zero-day vulnerabilities that Microsoft patched.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.