take-a-breakMy December article summarizing the month’s security update releases seemed to go on and on, but this month we both get a bit of a break. With only four patches on the agenda – and not one of them rated critical – this time I can make it short and sweet.

As reported in our Advanced Notification summary, the vulnerabilities that Microsoft is addressing with this compact slate of fixes pertain to Office, Windows XP/Server 2003, Windows 7/Server 2008 R2 and Microsoft Dynamics. If you happen to be running only the latest versions of Windows client and server operating systems without Microsoft Office, don’t have a SharePoint server on your network and aren’t using Dynamics, you might even escape having to patch altogether this time.

 

Even if you aren’t quite that lucky, though, the process should be relatively quick. The four bulletins address only six vulnerabilities, all but one of which were privately reported. The bad news is that you do need to reboot the system after installing them.

 

For the official and complete low-down on these patches, be sure to check out the bulletin summary on the Microsoft web site.

CRITICAL

None

IMPORTANT

MS14-001 (KB2916605) These memory corruption vulnerabilities affect supported versions of Microsoft Word 2003, 2007, 2010 and 2013, including Word 2013 RT, as well as SharePoint Server 2010 and 2013’s Word Automation Services and Microsoft Web Apps 2010 and 2013. Basically, if you’re using Microsoft Word on Windows – either as a locally installed application or as a web service – you may need this patch.  Note, however, that for SharePoint, the update applies only to a specific component that runs on standalone SharePoint installations, and if you are running SharePoint in a server point, the Word Automation Service is not enabled by default.

 

Even if you don’t have Word installed, but do have Word Viewer, this vulnerability applies to your system, as well as to those that have the Microsoft Office Compatibility Pack that allows you to open new format (XML-based) Office files in older versions of Office applications. Note that the issue does not affect Microsoft Office for Mac 2011. The “important” rating applies across the board.

 

The update addresses three vulnerabilities that were privately reported by members of the Google Security Team and are caused by memory corruption. While this set of vulnerabilities have the most severe potential impact of this month’s list and could result in remote code execution, the risk is mitigated by the fact that an attacker would have to convince a user to open a specially crafted file. The vulnerabilities can’t be exploited via email but an attack could be propagated through a document attached to an email message. The update fixes the problem by changing the way Office/Word parses those specially crafted files.

 

MS14-002 (KB2914368) This vulnerability in the Windows kernel affects supported versions of Windows XP and Windows Server 2003 only.  Later versions of the Windows client and server operating systems are not affected.

 

This update addresses one vulnerability in Windows XP/Server 2003 that had previously been publicly disclosed. We reported on this vulnerability here in this blog back on December 4th. The vulnerability is caused by the way these versions of Windows handled the validation of input that was passed from user mode to the NDProxy.sys component in the Windows kernel. This could allow the attacker to run code in kernel mode, with the potential for running a program that would allow the attacker to elevate privileges and take control of the system. The update is rated “Important,” rather than “Critical,” because an attacker has to have valid logon credentials and must be able to log on to the local machine in order to exploit the vulnerability, which lowers the risk.

 

The update corrects the validation process to fix the problem. Note that a workaround, which involves rerouting the NDProxy service to Null.sys, was previously advised by Microsoft as we noted in our December blog post. If you applied the workaround, you’re advised to undo it before applying this update. Otherwise, RAS, dial-up networking, VPN and other TAPI-reliant services may not work.

 

MS14-003 (KB2913602) This vulnerability in the Windows kernel-mode drivers affects supported versions of Windows 7 and Windows Server 2008 R2, including Itanium-based systems and server core installations. It does not affect any other versions of the Windows operating system.

 

This update addresses one vulnerability in the kernel-mode drivers’ behavior pertaining to the Win32K window handle thread-owned objects in memory, which was privately reported by Xiaohong Shi of Qihoo. An attacker could exploit the vulnerability to elevate privileges and then execute arbitrary code on the system. The risk is mitigated by the fact that the attacker would have to have valid logon credentials and must be able to log on to the local machine in order to carry out an exploit, thus workstations are at greater risk than servers since they are likely to have less physical security.

 

The update corrects the problem by changing the way the kernel-mode driver uses widow handle thread-owned objects.

 

MS14-004 (KB2880826) This vulnerability in Microsoft Dynamics AX affects servers running Microsoft’s enterprise resource planning (ERP) solution that handles accounting, inventory, project and production management, human resources and so forth. All supported versions (4.0, 2009, 2012 and 2012 R2) are affected.

 

The update addresses one vulnerability in the query filter that was privately reported by Andrey Maykov, the lead developer in the FTO Project. Successful exploit of this vulnerability could allow an attacker to launch a denial of service (DoS) attack and render the AOS instance to stop responding.  The risk is mitigated by the fact that, in order to carry out the exploit, the attacker would have to be able to authenticate on the Dynamics AX client.

 

The update fixes the problem by changing the way Dynamics AX handles user input.