After a relatively light Patch Tuesday last month, October’s security updates are back in full swing. With a total of eight security bulletins covering a total of 24 vulnerabilities discovered in Internet Explorer, Office, and the .Net framework, three of these are rated as critical – full details can be seen below.
Critical updates
Internet Explorer features heavily in this month’s update, with the first Critical update, MS14-056, addressing 14 privately reported vulnerabilities, scoring a CVSS of 9.3. The most severe of which could allow remote code execution giving the attacker the same admin rights as the current user.
The second of the Critical updates, MS14-057, could also allow remote code execution if the attacker sends a specially crafted URI request containing international characters to a .NET web application. The three privately reported vulnerabilities score CVSS 9.3, so remediation should be done as soon as technically possible.
The final of this month’s Critical updates, MS14-058, resolves two privately reported vulnerabilities in Windows, again with a CVSS score of 9.3. Once again the more severe of the two could allow remote code execution. What is interesting here is that the attacker would have to rely on a phishing attack to exploit this vulnerability as it requires the attacker to convince a user to open a specially crafted document or visit a untrusted website.
Important update – but no less critical
By far the most important patch in this month’s update is MS14-060 as there are already zero-day attacks taking advantage of this vulnerability, so remediation is recommended as soon as technically possible. While this security update is only rated Important by Microsoft, it has been independently scored CVSS 9.3 for all supported release of Microsoft Windows, excluding Windows Server 2003.
The security update resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user opens an office file containing a specially crafted OLE object. This would allow an attacker to execute any command in the context of the user such as installing programs; view, change, or delete data; or create new accounts with full user rights.
Next steps
As always it’s vital to update the Critical vulnerabilities at the earliest opportunity, so we will be analysing the binary code for each patch update and will be rolling out the updates to all of our customers through the agreed deployment process using Verismic Syxsense.
|
Update no.
|
CVSS score
|
Microsoft score
|
Affected Software
|
Details
|
|---|---|---|---|---|
| MS14-056 | 9.3 | Critical | Microsoft Windows, Windows Explorer | Cumulative Security update for Internet Explorer (2987107) |
| MS14-057 | 9.3 | Critical | Microsoft Windows, Microsoft .NET framework | Vulnerabilities in .NET framework could allow remote code execution (3000414) |
| MS14-058 | 9.3 | Critical | Microsoft Windows | Vulnerabilities in Kernel-Mode driver could allow remote code execution (3000061) |
| MS14-060 | 9.3 | Important | Microsoft Windows | Vulnerability in Windows OLE could allow remote code execution (3000869) |
| MS14-061 | 9.3 | Important | Microsoft Office, Microsoft Office services, Microsoft Office web app | Vulnerability in Microsoft Word and Office web apps could allow remote code execution (3000434) |
| MS14-063 | 7.2 | Important | Microsoft Windows | Vulnerability in FAT32 disk partition driver could allow elevation of privilege (2998579) |
| MS14-062 | 6.8 | Important | Microsoft Windows | Vulnerability in message queuing service could allow elevation of privilege (2993254) |
| MS14-059 | 4.3 | Important | Microsoft Developer tools | Vulnerability in ASP.Net MVC could allow security feature bypass (2990942) |
