This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for December 2014.
Well, this is the last Patch Tuesday update for 2014. If you recall from last month, one of the patches (MS14-075) was held back from the November release and not released in an out-of-band patch. It is included this month with the other December releases, giving us a total of seven (7) security updates for December from Microsoft.
For this month, three (3) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The three (3) Critical vulnerabilities this month affect Internet Explorer, Word, Office Web Apps, and the VBScript scripting engine. The other four (4) are rated Important.
Clarification of the McAfee Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list McAfee products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a McAfee product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS14-075 (CVE-2014-6319 & CVE-2014-6336)
This Critical update addresses four (4) different vulnerabilities in all currently supported versions of Microsoft Exchange Server 2007, 2010, and 2013. One of these vulnerabilities is a token spoofing vulnerability in Outlook Web App (OWA) that could allow an attacker to send email that appears to come from someone other than the attacker. The second and third vulnerabilities exist within OWA XSS and could allow an attacker to execute script within the context of the exploited user. An attacker needs to convince a user to click on a specially crafted URL of the targeted Outlook Web App site in order to exploit either of these vulnerabilities. The final vulnerability exists when OWA fails to properly validate redirection tokens. An attacker than exploits this vulnerability could redirect a user off the user’s domain to a different domain. Similarly to the first vulnerability, an attacker could then send email that appears to come from someone other than the attacker. Users of OWA are the primary targets for these vulnerabilities, so if your Exchange Server is utilizing OWA it is recommended that you apply this update.
MS14-080 (CVE-2014-6327 through CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373 through CVE-2014-6376, and CVE-2014-8966)
Here’s our standard cumulative security update for Internet Explorer in the patch Tuesday updates. This one resolves fourteen (14) vulnerabilities in Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have this vulnerability, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Ten (10) of these vulnerabilities are Internet Explorer Memory Corruption Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Two (2) of the vulnerabilities are XSS Filter Bypass vulnerabilities. These are classified as Security Feature Bypass vulnerabilities. Exploitation of these vulnerabilities could result in scripts running in the wrong security context and lead to information disclosure.
- One (1) of the vulnerabilities affects the Address Space Layout Randomization (ASLR) security feature. This vulnerability would need to be combined with another one to allow an attacker to execute arbitrary code.
- The final vulnerability in this bulletin is a Memory Corruption Remote Code Execution vulnerability in the VBScript engine when rendered in Internet Explorer. An attacker has to convince a user to view a specially crafted website in order to exploit this vulnerability.
- Similarly to last month, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor,McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
As you can see by the number of CVE’s that are listed, there are many individual threats that are wrapped together in this individual bulletin. The McAfee Labs Threat Advisories break down the individual threats, which McAfee products are Covered Products, and which McAfee products are Under Analysis.
This security update addresses two (2) separate vulnerabilities in Microsoft Word and the Microsoft Office Web Apps. Both of these vulnerabilities are Remote Code Execution vulnerabilities that could be exploited by an attacker if they convince a user to open or preview a specially crafted Microsoft Word document. For both of these vulnerabilities, attackers could gain the same user rights as the currently logged on user. This reinforces a security best practice of not operating with administrative permissions, as users configured with fewer rights will likely have less exposure. Versions of Microsoft Office affected are 2007, 2010, 2013, 2013 RT, Office for Mac, the Word View, and the Office Compatibility Pack. Microsoft Office 2013 RT is the version that runs on Windows RT systems, such as the Microsoft Surface and Surface 2 tablet. SharePoint Server 2010, 2013, and the Microsoft Office Web Apps 2010 and 2013 are also affected.
Here we have another Remote Code Execution vulnerability; this one affects Microsoft Office 2007, 2010, 2013, and 2013 RT. An attacker would need to convince a user to open a specially crafted file and then the attacker could gain the same user rights as the currently logged on user. As is the case with MS14-081, this reinforces a security best practice of not operating with administrative permissions.
MS14-083 (CVE-2014-6333, CVE-2014-6334, & CVE-2014-6335)
This security update is for two (2) vulnerabilities in Microsoft Excel that could allow remote code execution. It affects Excel 2007, 2010, 2013, 2013 RT, and the Office Compatibility Pack. Both vulnerabilities are present because Excel improperly handles objects in memory while parsing specially crafted Office files. In the same fashion as MS14-081 and MS14-082, the attacker could gain the same user rights as the currently logged on user.
The VBScript scripting engine has a vulnerability in how it handles objects in memory when being rendered in Internet Explorer. Depending on the version of Windows and Internet Explorer used, this affects VBScript 5.6, 5.7, and 5.8. A chart that shows which versions of VBScript are present in the appropriate versions of Internet Explorer is included on the MS14-084 page. Continuing our trend, an attacker that exploits this vulnerability could gain the same user rights as the currently logged on user.
Lastly, this security update is for a publicly disclosed vulnerability in Microsoft Windows. It is an Information Disclosure vulnerability within the Microsoft Graphics Component due to its improper handling of decoding JPEG images in memory. Even though this was publicly disclosed, Microsoft did not have any information that this vulnerability had yet been used to target customers.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Bonus Vulnerability Coverage: Just like last month, here’s a bonus vulnerability. Although not technically listed as a Microsoft Security Bulletin, Microsoft updated Microsoft Security Advisory 2755801 in December to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB14-27. A McAfee Labs Security Advisory for this vulnerability will be published to the McAfee Labs Security Advisories Community site.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for December 2014 at the Microsoft site.
Until next YEAR…stay safe!