Patch Tuesday: Microsoft Finishes 2014 with 7 Security Bulletins
Today's release looks to fix 25 flaws in Windows, Internet Explorer and Office.
Barring any out-of-band patches in the next three weeks, Microsoft's final security update release for the year has arrived. December's patch includes seven items -- three rated "critical" and four rated "important" -- that addresses 25 flaws in multiple Microsoft products.
Those looking to attack today's release with a sound battle plan should deploy bulletin MS14-080 -- a cumulative Internet Explorer update -- first. The item looks to fix 14 different flaws in Internet Explorer versions 6 through 11 and affects all supported versions of Windows and Windows Server.
While none of the 14 flaws have been spotted being exploited in the wild, due to the size of risk caused by browser flaws, patching should commence immediately even though the threat of attack is currently not there. If gone ignored, the worst of the flaws could lead to remote code execution (RCE) attacks.
The Internet Explorer bulletin shares a flaw in common with bulletin MS14-084, the second critical item of the month that addresses a reported issues in the VBScript scripting engine in Microsoft Windows. According to the close connection to MS14-080, there may be additional patching complications, according to Ross Barrett, senior manager of security engineering at Rapid7.
"The shared CVE with MS14-084 presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE," said Barrett in an e-mailed statement. "Systems without IE will only be offered the MS14-084 patch. Systems with IE 8 and older will be offered the MS14-080 AND the MS14-084 patch. Systems with IE 9 or later will not be offered the MS14-084 patch because the issue is addressed by the MS14-080 patch. Clear as mud, right?"
The final critical item of the month, bulletin MS14-081, addresses two privately reported issues in Microsoft Word and Microsoft Office Web Apps. Both could lead to remote code execution attacks if hackers were inclined to take advantage of those with unpatched systems. Thankfully, just as the case with all of today's security releases, there's been no evidence of exploitation in the wild.
Microsoft's December patch also includes the following four bulletins rated "important":
- MS14-075: Addresses four issues in Microsoft Exchange Server 2007 SP3, 2010 SP3 and 2013. The most severe could lead to an elevation of privilege through the use of a spoofed URL that leads to a custom Outlook Web App site.
- MS14-082: This item fixes a privately reported flaw in all supported versions of Office that could lead to an RCE attack if gone unpatched and a malicious file is opened or previewed in Office.
- MS14-083: This bulletin looks to fix two privately reported issues in Excel. As with the previous two important fixes, these flaws could also lead to an RCE attack through a specially crafted file.
- MS14-085: The final item of the month looks to fix two issues in the Microsoft Graphics Component that could lead to an information disclosure through the use of a malicious JPEG file.
Along with this month's batch, Microsoft has rereleased two security bulletins from last month: MS14-065 and MS14-066. The updated versions look to fix patching issues that popped up last month for some users. Finally, Microsoft has updated Security Advisory 2755801, an Adobe Flash Player for Internet Explorer patch, with the latest fixes from Adobe.
Many of today's bulletins will require a restart after applying. More information can be found here.