On 2014's Last Patch Tuesday Microsoft Fixes IE, Office
Microsoft on Tuesday issued seven security updates for its software. The updates address 24 vulnerabilities in Microsoft Windows, Internet Explorer, Office and Exchange. Three are rated critical and four are rated important.
The three critical fixes patch remote code execution (RCE) flaws in Windows, Office and Internet Explorer. One bulletin, MS14-084, fixes a RCE vulnerability in the VBScripting engine in Microsoft Windows, while MS14-080 fixes 14 privately reported vulnerabilities, including RCE, in Internet Explorer. Bulletin MS14-081 patches RCE vulnerabilities in Microsoft Word and Microsoft Office Web apps.
Additionally, the MS14-075 bulletin rated important fixes a bug in Microsoft Exchange Server that had been scheduled for November's Patch Tuesday but was delayed. It was rated important because of an elevation in privilege across several versions of Exchange. Other bulletins rated important include MS14-082, another update for Microsoft Word that covers RCE, and MS14-083 to fix a RCE bug in Excel.
Marc Maiffret, CTO of BeyondTrust, an account management and vulnerability management software firm, said most of what Microsoft is patching this month continues a trend of the “greatest hits” collection of commonly attacked Microsoft software.
“Probably the one thing that broke the mold this month is that for once there is not some sort of kernel privilege escalation vulnerability as we commonly see. The Internet Explorer vulnerabilities are of course the ones to patch first followed by the Office related vulnerabilities,” Maiffret said. “Looking forward to 2015 and seeing what vulnerabilities await for us and how things shape up with Windows 8 having some distance on it now and Windows 10 looming around the corner.”
Use This Patch Now
Craig Young, security researcher at advanced threat protection firm Tripwire, told us many frustrated admins still suffering from ill-effects from Microsoft’s botched -- but critical -- SChannel update will be getting an early Christmas present this year with a re-release of the MS14-066 patch.
“Initially released last month, the patches caused a variety of TLS (Transport Layer Security) connection woes,” Young said. “With denial-of-service exploit code available, it’s critical that all systems receive this patch ASAP.”
Young noted that the issue can be exploited with a HTTPS request or remote desktop connection providing a maliciously crafted certificate for authentication. Unlike other Remote Desktop Protocol vulnerabilities disclosed in recent years, the use of network-level authentication does not mitigate this vulnerability at all because it’s exploited during the SSL/TLS handshake, he said. The only saving grace for enterprises is that achieving reliable code execution is not a trivial task.
“As usual Internet Explorer updates should be at the top of the priority list for Windows administrators,” Young said. “Even in organizations where other browsers are used, it is critical to keep IE up to date because there is a risk that vulnerable components are integrated into other software packages.”
As Young sees it, Microsoft Word components should also receive high attention due to two parser failures that can lead to code execution. That's because the risk from this vulnerability is particularly high on SharePoint or Office Web Apps deployments that accept documents from untrusted users, he said.
A Busy Holiday Season
Andrew Storms, security analyst for Tripwire and vice president of security services for systems architecture firm New Context, told us there will be no pretty packages from Microsoft or Adobe under IT admins’ trees this month -- unless, of course, they like being inundated with more critical security patches just before a major holiday.
“IT admins will be struggling with competing objectives this month in their deciding when to patch their systems,” Storms said. “The holidays are typically a time when enterprise back office systems are locked down and no changes are permitted.”
However, given the moderate size of this month's Microsoft patch and the external concerns that the ongoing Sony breach on security managers minds, many people will be debating if it might be worth installing at least some of the patches before the lock down period ends, he added.
“Security patches to Internet Explorer, Office and Exchange Server in the same month mean that nearly everyone in IT and security teams will be mighty busy assessing the risks and payoffs of these updates,” Storms said. “Microsoft's updates combined with Adobe's updates today will keep IT teams busier than they’d like to be as we approach the holidays.”
Year in Review
We caught up with Russ Ernst, Director of Product Management at endpoint security software firm Lumension, to get his take on the bigger picture. He offered a quick year-over-year comparison of Patch Tuesday.
According to his research, the total number of bulletins released by Microsoft in 2014 was 85, closest in number to 2012 when 83 patches were released in all. However, 2013 was a busier year for IT with 106 necessary Microsoft patches, assuming no out-of-band patches later this month.
“The good news is 2014 closed out with just 30 critical rated patches which is an improvement over both 2012 when 35 critical patches were issued and 2013 when there were 42,” he said. “Even with that good news, the overall number of all vulnerabilities in 2014 is at an all-time high of nearly 7,500.”
With the Microsoft vulnerability count this year only accounting for just over 6 percent, down from nearly 10 percent last year, Ernst said attackers are continuing the trend of focusing on third party applications and platforms other than Windows.
“While there is no way to predict what 2015 will look like of course,” he concluded, “I can’t help but wonder how the September cuts to the Trustworthy Computing Group at Microsoft will impact their ability to keep these statistics moving in the right direction.”