Security Advisor

Patch Tuesday: Microsoft Finishes 2014 with 7 Security Bulletins

Today's release looks to fix 25 flaws in Windows, Internet Explorer and Office.

Barring any out-of-band patches in the next three weeks, Microsoft's final security update release for the year has arrived. December's patch includes seven items -- three rated "critical" and four rated "important" -- that addresses 25 flaws in multiple Microsoft products.

Those looking to attack today's release with a sound battle plan should deploy bulletin MS14-080  -- a cumulative Internet Explorer update -- first. The item looks to fix 14 different flaws in Internet Explorer versions 6 through 11 and affects all supported versions of Windows and Windows Server.

While none of the 14 flaws have been spotted being exploited in the wild, due to the size of risk caused by browser flaws, patching should commence immediately even though the threat of attack is currently not there. If gone ignored, the worst of the flaws could lead to remote code execution (RCE) attacks.

The Internet Explorer bulletin shares a flaw in common with bulletin MS14-084, the second critical item of the month that addresses a reported issues in the VBScript scripting engine in Microsoft Windows. According to the close connection to MS14-080, there may be additional patching complications, according to Ross Barrett, senior manager of security engineering at Rapid7.
"The shared CVE with MS14-084 presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE," said Barrett in an e-mailed statement. "Systems without IE will only be offered the MS14-084 patch. Systems with IE 8 and older will be offered the MS14-080 AND the MS14-084 patch. Systems with IE 9 or later will not be offered the MS14-084 patch because the issue is addressed by the MS14-080 patch. Clear as mud, right?"

The final critical item of the month, bulletin MS14-081, addresses two privately reported issues in Microsoft Word and Microsoft Office Web Apps. Both could lead to remote code execution attacks if hackers were inclined to take advantage of those with unpatched systems. Thankfully, just as the case with all of today's security releases, there's been no evidence of exploitation in the wild.

Important Items
Microsoft's December patch also includes the following four bulletins rated "important":

  • MS14-075: Addresses four issues in Microsoft Exchange Server 2007 SP3, 2010 SP3 and 2013. The most severe could lead to an elevation of privilege through the use of a spoofed URL that leads to a custom Outlook Web App site.
  • MS14-082: This item fixes a privately reported flaw in all supported versions of Office that could lead to an RCE attack if gone unpatched and a malicious file is opened or previewed in Office.
  • MS14-083: This bulletin looks to fix two privately reported issues in Excel. As with the previous two important fixes, these flaws could also lead to an RCE attack through a specially crafted file.  
  • MS14-085: The final item of the month looks to fix two issues in the   Microsoft Graphics Component that  could lead to an information disclosure through the use of a malicious JPEG file.

Along with this month's batch, Microsoft has rereleased two security bulletins from last month: MS14-065 and MS14-066. The updated versions look to fix patching issues that popped up last month for some users. Finally, Microsoft has updated Security Advisory 2755801, an Adobe Flash Player for Internet Explorer patch, with the latest fixes from Adobe.

Many of today's bulletins will require a restart after applying. More information can be found here.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • The Case for In-Application Backups

    Application-integrated backup tools should never replace conventional backups, but they have their place.

  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

comments powered by Disqus