Microsoft today released its final Patch Tuesday updates of the year, delivering three critical fixes and seven total bulletins that address just 24 unique vulnerabilities.
The relatively light December 2014 Patch Tuesday release comes after blockbuster iterations in October and November, which featured high-priority fixes for zero-day exploits and critical bulletins that were dropped at the last minute.
Wolfgang Kandek, chief technology officer for Qualys Inc., based in Redwood City, Calif., said that the lack of pressing zero days this month should lead enterprise administrators to focus initial patching efforts on MS14-080, Microsoft's usual cumulative update for Internet Explorer.
The IE bulletin, rated "Critical," resolved a total of 14 privately reported vulnerabilities that span all supported versions of Microsoft's Web browser. The most severe of the IE vulnerabilities could be exploited remotely to allow an attack to gain the same administrative rights as the current user.
In the same vein, Kandek said that administrators should prioritize MS14-084, a critical bulletin that addresses a single vulnerability in the VBScript scripting engine for Windows. Attackers can exploit the flaw remotely by luring targets to malicious websites, and can be used to gain full administrative rights over a system.
"Those two bulletins are really connected," said Kandek. "[MS14-084] is a separate bulletin because it's a separate piece of software for Microsoft, but the attack vector would ultimately be the browser."
MS14-081, the last of December's critical bulletins, fixes two vulnerabilities in Microsoft Word and Microsoft Office Web Apps (OWA). The exploit can be triggered if a user opens a malicious Word file in a vulnerable version of Office, which again could allow an attacker full control over a system.
The other four bulletins, all rated important by Microsoft, address a variety of bulletins across Windows, Office and Exchange. One of those bulletins, MS14-075, was originally scheduled for last month's Patch Tuesday release before being delayed to December. The update mitigates four vulnerabilities in supported versions of Exchange Server that could allow for privilege-escalation attacks if a user visits a malicious website.
Marc Maiffret, chief technology officer for Phoenix-based vulnerability management vendor BeyondTrust Inc., said the issue covered in MS14-075 is of particular importance for companies using OWA, and a reminder to organizations to be careful in how OWA servers are deployed and configured.
Apart from the seven new security bulletins, Microsoft also updated two previously released bulletins this month. MS14-065, November's cumulative IE patch, now includes a number of minor fixes for performance issues.
More significantly, MS14-066, a patch that resolved a vulnerability in Microsoft's Secure Channel (Schannel) security package, has been updated after systems running TLS version 1.2 encountered issues with dropped connections. Microsoft provided a workaround last month after the issues were reported, but the updated patch resolves any lingering problems.
"Many frustrated admins still suffering from ill-effects from Microsoft's botched, but critical, Schannel update will be getting an early Christmas present this year with a re-release of the MS14-066 patch," said Craig Young, a security researcher for Tripwire Inc., based in Portland, Ore. "With denial-of-service exploit code available, it's critical that all systems receive this patch ASAP."
Though the final Patch Tuesday of 2014 may not have produced fireworks, Kandek described the year as whole "hurried," with more of his clients than usual encountering issues and more enterprises generally cognizant of information security issues like Shellshock and Heartbleed.
Specifically, Kandek said that a larger percentage of the vulnerabilities Microsoft patched this year were zero days being actively exploited at the time. In 2013, Patch Tuesday releases produced a total of 106 bulletins with 18 zero days being fixed, Kandek noted, while Microsoft has mitigated 20 zero days across this year in just 85 total bulletins.
As a result, Kandek said that enterprise IT teams need to focus on streamlining patching efforts so that Patch Tuesday updates can be rolled out ideally within a week of release. Businesses should also turn to Microsoft's free Enhanced Mitigation Experience Toolkit security tool, Kandek added, which effectively mitigated all but one of this year's zero-days.
Without implementing such measures, Kandek said that enterprises are likely to be overrun by attackers that are growing more sophisticated, particularly when it comes to quickly reverse engineering vulnerabilities that Microsoft fixes on Patch Tuesday.
"If you look at software such as Internet Explorer, which was under intense scrutiny this year both by researchers and attackers, that's a pretty stable piece of software. … Microsoft's developers are constantly coming out with new countermeasures, and yet we still see elevated numbers of vulnerabilities being found in it," said Kandek. "The only way I can explain that is attackers are getting more sophisticated."
Maiffret said he was surprised at the lack of a new kernel-based privilege-escalation vulnerability, as has been common this year.
"[I'm] looking forward to 2015 and seeing what vulnerabilities await for us and how things shape up with Windows 8 having some distance on it now and Windows 10 looming around the corner."
Adobe releases two critical patches
Separately, Adobe Systems Inc. today released two critical bulletins, APSB14-27 and APSB14-28, that resolved a total of 26 vulnerabilities across different versions of its Flash Player, Acrobat and Reader software. The most severe of these flaws, if exploited, could allow attackers to take control of vulnerable systems.
Adobe urged users to upgrade to the latest versions of affected software: Flash 18.104.22.168 for Windows and Mac desktop users, Reader 11.0.10 and Acrobat 11.0.10. That Web browsers such as Google Chrome and the latest versions of Internet Explorer update Flash automatically should indicate how severe Flash security issues can be, Kandek said.
"For me, [Flash patches] are the same criticality as an Internet Explorer patch," said Kandek," and should be addressed within one week."
Still catching up on the hectic November Patch Tuesday release? Read our coverage to find out what your fixes your organization should be prioritizing.