Microsoft's October Patch Includes Zero-Day Windows and IE Flaw Fixes
This month's security offering includes three bulletins rated "critical" and five "important" items.
Microsoft's monthly security update arrived today, packed with nine bulletins that are aimed at 24 different Common Vulnerabilities & Exposures (CVEs).
The first order of business for IT is to apply Bulletin MS14-058 -- the first of three "critical" rated items. This fix takes care of two privately reported issues in Windows' kernel-mode driver that has been seen to being used by attackers in the wild to pull off remote code execution (RCE) operations.
The vulnerability has already been known to be used by Russian hackers to spy on the U.S. and Ukrainian governments, NATO and European telecom and energy companies. According to security firm iSight Partners, which disclosed one of the two flaws and has called it "SandWorm," the hole has been used by the Russian criminal ring since late summer to spy on Windows Vista and Windows 8.1 users.
"In late August, while tracking the Sandworm Team, iSight discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization," wrote iSight Partners' Stephen Ward. "Notably, these spear-phishing attacks coincided with the NATO summit on Ukraine held in Wales."
While the specific information stolen is unknown, the security firm believes it was associated with the current standoff between Russian and the Ukraine.
According to Microsoft, the vulnerabilities can be exploited if a targeted user opens a specially crafted document containing a custom, malicious TrueType font. While attacks have only been seen targeting the two latest Microsoft OSes, all supported versions of Microsoft Server and OS are affected.
The next item to prioritize should be MS14-056, a cumulative fix for Internet Explorer that addresses 14 privately reported flaws. If exploited, the most severe could lead to an attacker gaining the same user rights as the target. Just like the previous item, one of the flaws in this fix has already been seen in the wild, and active exploits for the remaining 13 holes should be expected shortly. Chris Goettl, product manager with security firm Shavlik, said that the trend of Microsoft packing its monthly patch with a cumulative IE fix should continue for the foreseeable future.
"As we have seen since June and we could continue to see each month for a while, the IE update resolve issues relating to objects in memory," commented Goettl in an e-mailed response. "The 14 vulnerabilities are resolved by changing how IE handles objects in memory."
Bulletin MS14-057, Microsoft's final critical update for the month, looks to take care of three privately reported flaws in Microsoft .NET Framework that could lead to an RCE attack if gone unpatched. The issue lies with the iriParsing in .NET Framework, and can be exploited if a malicious URI request is sent to a targeted machine. Thankfully, unlike the first two items, Microsoft has yet to see any active attacks being used with any of these three flaws.
Microsoft's October patch also includes the following five bulletins rated "important":
- MS14-059: Addresses a reported issue in ASP.NET MVC that could lead to a security feature bypass when a malicious URL is clicked on. The fix should be applied to users of ASP .NET MVC 2.0 through 5.1.
- MS14-060: This item fixes a privately reported flaw in Windows OLE that could lead to an RCE attack if gone unaddressed. All supported versions of Windows Server and Windows OS are affected.
- MS14-061: This fix for Office and Office Web Apps addresses one issue that could lead to an RCE attack if a malicious Office file was opened.
- MS14-062: Takes care of a flaw in Windows that could lead to an elevation of privilege if a harmful input/output control (IOCTL) request was sent to the Message Queuing service.
- MS14-063: The final item of the month addresses a vulnerability in which the Windows FASTFAT system driver interacts with FAT32 disk partitions. If gone unpatched, a elevation of privilege attack could be developed.
Many of these bulletins will require a restart before being fully implemented.