With 14 bulletins this month across almost 40 individual Common Vulnerabilities and Exposures [CVEs] means that November Patch Tuesday is fairly significant in size, with one particular update considered fairly urgent; MS14-066, which fixes a vulnerability in Schannel. The component of Windows that implements SSL/TLS. Those of you with eagle eyes will have spotted that two bulletins are missing from the update (MS14-069 and MS14-075) – no release date has been confirmed by Microsoft as yet.
Microsoft’s advice is to apply all of the updates, which shouldn’t be an issue for home users, but for businesses that are geographically spread out, where there may be a slow internet connection, you’ll need to be very considered in the choice of patches you deploy first.
The Common Vulnerability Scoring System (CVSS), included in the table below, is provided independently by US-CERT and looks at the impact that certain vulnerabilities can have. Microsoft’s ‘Critical’ vulnerabilities are rated as such because there is a known active exploit, but using the CVSS score can give you a much better understanding of how easy your systems can be exploited and the potential impact each could have. Looking at the table below we can see some disparities between Microsoft’s rating and the independently scored CVSS.
The first update of November’s Patch Tuesday resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). With a CVSS of 9.3, this is the one of five updates that you need to patch sooner rather than later. The more severe of the two vulnerabilities could allow remote code execution enabling an attacker to run arbitrary code in the context of the current user. If that user has admin rights then the attacker could install programs; view, change, or delete data; or create new user accounts.
I’d argue that this by far the most important update for you to pay attention to as it affects the entire Microsoft estate from the operating system to Internet Explorer. The update resolves seventeen privately reported vulnerabilities in Internet Explorer. An attacker who exploits these vulnerabilities could gain the same user rights as the current user. The most severe of these vulnerabilities would allow for remote code execution if a user views a specially crafted web page using Internet Explorer. Once again, this update has a CVSS of 9.3.
This update has been the focus of most blogs and articles this month, with most suggesting that it is in fact the single most important update to implement – rather than MS14-065 It’s a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows Server. However, the Schannel is not so easy to crack and the extent of the damage that can be caused is not as severe as other Critical updates. With a CVSS score of 6.8 I’d argue that there are other updates you should be prioritising over this one.
This security update (CVSS of 9.3) resolves a vulnerability in Windows that could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke SML Core Services (MSXML) through Internet Explorer. However, in order for an attacker to take advantage of this exploit they would need to convince a user to visit a website using social engineering.
Other notable updates
There are, in fact, two other updates you should be paying close attention to: MS14-069 and MS14-072. Microsoft has rated both of these updates as ‘Important’ but they have each been given an independent CVSS score of 9.3, so US_CERT is saying that these two updates are just as severe as those noted above.
- MS14-069 is a security update resolving three vulnerabilities in Microsoft Office that could allow remote code execution enabling an attacker to gain the same user access rights as the current user. It is exploited through a specially crafted file that is opened in an affected edition of Microsoft Office 2007.
- MS14-072 resolves a vulnerability in the .NET framework, which could allow elevation of privilege. According to Microsoft, it is exploited through an attacker sending specially crafted data to an affected workstation that uses .NET Remoting. However, only custom applications that have been specifically designed to use .NET Remoting would expose a system to this vulnerability.
Below is the full breakdown of this month’s patch updates. We recommend patching MS14-064, MS14-065, MS14-067, MS14-069, and MS14-072 in the first instance, before working through the rest of the updates. For our customers, we will be analysing the binary code for each update and will be rolling out the patches to all of our customers through the agreed deployment process using Verismic Syxsense.
|MS14-064||9.3||Critical||Microsoft Windows||Vulnerabilities in Windows OLE could allow remote code execution (3011443)|
|Cumulative security update for Internet Explorer (3003057)|
|MS14-067||9.3||Critical||Microsoft Windows||Vulnerability in XML Core Services could allow remote code execution (2993958)|
|MS14-069||9.3||Important||Microsoft Office||Vulnerabilities in Microsoft Office could allow remote code execution (3009710)|
Microsoft .NET Framework
|Vulnerability in .NET Framework could allow elevation of privilege (3005210)|
|MS14-073||8.5||Important||Microsoft Server Software||Vulnerability in Microsoft Sharepoint Foundation could allow elevation of privilege (3000431)|
|Vulnerability in IME (Japanese) could allow elevation of privilege (2992719)|
|MS14-070||7.2||Important||Microsoft Windows||Vulnerability in TCP/IP could allow elevation of privilege (2989935)|
|MS14-079||7.1||Moderate||Microsoft Windows||Vulnerability in Kernel-Mode driver could allow denial of service (3002885)|
|MS14-066||6.8||Critical||Microsoft Windows||Vulnerability in Schannel could allow remote code execution (2992611)|
|MS14-071||4.3||Important||Microsoft Windows||Vulnerability in Windows Audio Service could allow elevation of privilege (3005607)|
|MS14-074||4.3||Important||Microsoft Windows||Vulnerability in Remote Desktop Protocol could allow security feature bypass (3003743)|
|MS14-077||4.3||Important||Microsoft Windows||Vulnerability in Active Directory Federation Services could allow information disclosure (3003381)|
|MS14-076||2.6||Important||Microsoft Windows||Vulnerability in Internet Information Services (IIS) could allow security feature bypass (2982998)|