Today I’m taking time out of a great Caribbean cruise for this month’s Patch Tuesday, which brings us seven new security bulletins that include fixes to address five remote code execution vulnerabilities, one elevation of privilege vulnerability and one information disclosure vulnerability. Three of the vulnerabilities – one critical and two important – affect Microsoft Office. The rest affect Windows, except for one that is for Microsoft Exchange, and one critical update is for Internet Explorer – most likely the cumulative update that has become pretty much a regular monthly occurrence. There are three critical patches in all.
For the full details about today’s patches, see the December security bulletin summary on Microsoft’s Technet web site. Meanwhile, let’s summarize each of the updates.
MS14-080 (KB3008923) This update is another cumulative one for Internet Explorer, affecting all currently supported versions of the browser on all currently supported versions of Windows client and server. It does not affect the server core installations, which don’t have a browser installed. The severity rating is critical for IE on Windows clients and moderate for IE on Windows servers.
This update addresses fourteen different vulnerabilities, the most serious of which could allow for remote code execution if the attacker can persuade a user to view a malicious web page. The update fixes the problems by changing a number of IE behaviors including handling of objects in memory, the way the XSS filter works, the VBS Scripting engine and implementation of ASLR.
MS14-081 (KB3017301) This update for Microsoft Word and Office Web Apps affects Word 2007, 2010, 2013/2013 RT, and Office for Mac 2011, along with the Office Compatibility Pack, Word Viewer, and Web Apps (Office Web Apps Server 2013 and SharePoint server 2010 and 2013. The rating is critical for all affected software.
The update addresses two vulnerabilities, both reported privately, that could allow remote code execution if the user opens or views a malicious Word file. The update fixes the problem by changing the parsing of such specially crafted Word files.
MS14-084 (KB3016711) This update for the VBS scripting engine affects the Windows Vista and Windows 7 client operating systems and the Windows 2003, 2008 and 2008 R2 server operating systems. It does not affect Windows 8/8.1, RT/RT8.1 or Server 2012/2012 R2. It is rated critical for client operating systems and moderate for server operating systems.
The update addresses a single privately reported vulnerability that could allow remote code execution if a user visits a specially crafted malicious web site. The update fixes the problem by changing the way the VBS Scripting engine handles objects in memory.
MS14-075 (KB3009712) This update for Microsoft Exchange server affects all supported versions of Microsoft’s email server software: Exchange 2007, 2010 and 2013. The rating is important for all affected software.
The update addresses four vulnerabilities, all privately reported, the most serious of which could allow an attacker to elevate privileges by clicking a specially crafted URL that takes the user to a malicious web site. The update fixes the problem by changing the validation of request tokens and sanitizing URLs properly.
MS14-082 (KB3017349) This update for Microsoft Office affects all currently supported versions of Microsoft Office: 2007, 2010, 2013 and 2013 RT. It is rated critical for all affected software. There are mitigating factors, including the fact that the vulnerability can’t be directly/automatically exploited via email.
The update addresses one privately reported use-after-free vulnerability that could allow remote code execution if the user opens a special malicious file in Office. The update fixes the problem by changing the way ASLR is implemented by the Microsoft Common Controls Library.
MS14-083 (KB3017347) This update for Microsoft Excel affects all supported versions of the spreadsheet software: 2007, 2010, 2013 and 2013 RT, as well as the Office Compatibility Pack. It is rated important for all affected software.
The update addresses two privately reported vulnerabilities that could allow remote code execution upon opening or viewing a specially crafted malicious Excel file. The update fixes the problem by changing the parsing of such files.
MS14-085 (KB3013126) This update to the graphic component of the operating system affects all supported versions of Microsoft Windows client and server operating systems: Vista, Windows 7, Windows 8/8.1, Windows RT/RT8.1, Server 2003, 2008, 2008 R2, 2012, 2012 R2 including server core installations. It is rated important for all affected software.
This update addresses a single vulnerability that has been publicly disclosed, which could allow for disclosure of information if a user visits a web site with a specially crafted JPEG file. The vulnerability could be exploited in combination with another to bypass ASLR. The update fixes the problem by changing the way JPEG images are decoded so as to correct memory initialization and management.