December Patch Tuesday updates from Microsoft

The final Patch Tuesday of 2014 is upon us so with that in mind we thought we’d take a quick look at how the year stacks up. There were a total of 85 bulletins fixing 349 separate vulnerabilities in Microsoft’s products; 29 were rated as Critical, 53 as Important, and 3 rated Moderate. Internet Explorer featured heavily this year, with over 200 separate vulnerabilities being patched – January being the only month where Internet Explorer didn’t feature in any update.

Compared to last year there were 21 fewer patch updates yet there were more individual vulnerabilities patched in 2014 compared to 2013 (349 vs. 332).

This month there are three Critical and four Important updates fixing a total of 25 vulnerabilities, including the delayed MS14-075 update from November, which we’ll cover first.

MS14-075

Rated as Important, this is the delayed update that was originally due to be released in November’s Patch Tuesday that addresses four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of the four could allow elevation of privilege if a user views a specially crafted web page using…Internet Explorer unsurprisingly! Should an attacker successfully exploit the vulnerability they would be able to gain the same rights as the current user.

Critical Updates

MS14-080

The most severe of the 14 privately reported vulnerabilities in this bulletin could allow remote code execution, again, if the user visits a specially crafted web page using Internet Explorer. Successful exploitation would give the same rights to the attacker as the current user.

MS14-081

The second of three Critical updates resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow for remote code execution if an attacker is able to convince a user to open, or even just preview, a specially crafted Microsoft Word file within an affected version of Microsoft Office software. The affected versions include: all supported editions of Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, Microsoft Office for Mac 2011, Microsoft Word Viewer, Microsoft Office Compatibility Pack.

MS14-084

The final Critical update of 2014 is a security update that resolves a privately reported vulnerability in VBScript – the scripting engine in Microsoft Windows. If a user visits a specially crafted website the vulnerability could allow for remote code execution, which, if successfully exploited, will give the attacker the same rights as the current user. If the user is an administrator then the attacker could potentially take complete control of an affected system so it would be wise to prioritise this patch over the others.

Important Updates

The final three updates (unless an out-of-band patch is released) address three privately reported vulnerabilities across Microsoft Office and Microsoft Excel, as well as one publicly disclosed vulnerability in Microsoft Windows. All three of the privately reported vulnerabilities could allow for remote code execution if successfully exploited. Again, this could allow an attacker to gain the same rights as the current user.

The publicly disclosed vulnerability (MS14-085) could allow Information Disclosure should a user visit a website containing specially crafted JPEG content. Whilst this particular vulnerability doesn’t allow code execution, the information disclosed could reveal details about the system that could be used in conjunction with another vulnerability to bypass security features.

Next steps

As usual, we have included a breakdown of this month’s bulletin in the table below and have prioritised the patch updates by the independently rated CVSS score. We’d advise that you prioritise patches MS14-080, MS14-081, MS14-082, MS14-083 & MS14-084. For our customers, we will be analysing the binary code for each update and will be rolling out the patch updates using Verismic Syxsense, as per the agreed deployment process.