PatchTue_SQIn the words of rock star Tom Petty, the waiting is the hardest part. Let’s hope that proves to be true in regard to this month’s gargantuan patch release. Now the wait is over, and it’s time to get busy downloading, testing, evaluating and rolling them out to your Windows machines.

Since the advance notification last Thursday, we’ve thought that we were looking at a 16 updates coming down the pike today. Microsoft threw us a bit of a curve, releasing “only” 14 of the patches, with two – MS14-068 and MS14-075 – deferred with the label “Release date to be determined”.

Four of the 14 released today are rated critical and all of those address remote code execution vulnerabilities. In all, 33 vulnerabilities are patched by these updates. Not everyone will be affected by all of these vulnerabilities. Several are application-specific and will impact only those who, for example, host IIS 8.0/8.5 web sites, use Active Directory Federation Services (AD FS) or have the Japanese version of IME installed. Others will hit almost everybody, such as the vulnerabilities in the TCP/IP stack and the .NET Framework.

There’s only one Office patch in this mass of updates, and it only affects Word 2007 (along with the Compatibility Pack and Word Viewer). That’s a good thing, considering there seems to have been a recent pattern of Office patches causing functionality problems.

For the full details about today’s patches, see the November Security Bulletin Summary on Microsoft’s Technet web site.  Meanwhile, let’s summarize each of the updates.

Critical

MS14-064 (KB3011443) This update addresses a pair of vulnerabilities in Windows Object Linking and Embedding (OLE), which could result in remote code execution. It applies to all currently supported versions of Windows client and server operating systems, including Windows RT and including the server core installations of Windows Server 2008/2008 R2 and 2012/2012 R2.

An exploit would involve the user viewing a specially maliciously crafted web page via Internet Explorer; the attacker would obtain the same rights as the user.  If UAC is enabled, it would normally display a prompt before executing the exploit file.

The update fixes the problems by changing the way the OS validates the use of memory in regard to access of OLE objects and also corrects the way IE handles objects in memory.

MS14-065 (KB3003057) This is another cumulative security update for Internet Explorer, which has become pretty much a monthly occurrence. It applies to all supported versions of IE, versions 6 through 11, on all supported Windows client and server operating systems. Of course the server core installations are not affected since they don’t run the web browser. While the rating is critical on Windows client operating systems, it’s moderate on Windows Server.

The update addresses seventeen different vulnerabilities that have been reported privately to Microsoft. The most severe could allow remote execution of code when viewing a specially crafted malicious web page. The vulnerabilities include multiple memory corruption issues, an information disclosure vulnerability in IE clipboard, an ASLR bypass, cross-domain information disclosure issues and two elevation of privilege vulnerabilities.

The update fixes the problem by changing the way IE handles objects in memory and by adding more permissions validations. It also helps to ensure that IE properly implements ASLR (Address Space Layout Randomization).

MS14-066 (KB2992611) This update patches a vulnerability in Secure Channel (Schannel), which is a security provider that contains a set of security protocols that provide identity authenticationand secure private communication for Internet applications using SSL and TLS. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT and the server core installations. It’s rated critical across all OS versions.

The update addresses a single privately reported vulnerability, an exploit of which could result in remote code execution. An attacker could exploit the vulnerability by sending specially crafted packets to a Windows computer.

The update fixes the problem by changing the way Windows sanitizes specially crafted packets.  Also note that in addition to fixing this issue, the update also makes changes to available TLS cipher suites to include new suites that provide for stronger encryption.

MS14-067 (KB2993958) This update addresses a single privately reported vulnerability in XML Core Services. It applies to all currently supported versions of the Windows client and server operating system, including Windows RT and the server core installations, but is rated critical only for the client OS; the rating is downgraded to moderate for the server operating systems.

The vulnerability addressed by the update cold be exploited when a user visited a specially crafted web site that invokes Microsoft XML Core Services (MSXML) via IE. This could allow the attacker to remotely execute code.

The problem stems from the way XML content is handled by MSXML, which can result in corruption of the system state. The update fixes the problem by change the way MSXML parses XML content. Note that if you can’t apply the update, Microsoft also provides a workaround to prevent MSXML 3.0 binary behaviors from being used in IE, which involves editing the registry. You can find the instructions for the workaround in Security Bulletin MS14-067.

Important

MS14-069 (KB3009710) This update addresses three vulnerabilities in Microsoft Office that affect Microsoft Word 2007 SP 3, Microsoft Word Viewer and the Microsoft Office Compatibility Pack 3. Other versions of Microsoft Word and other Office programs are not affected. The severity rating is important for all affected components.

The vulnerabilities addressed by this update could be exploited to gain the same user rights as the logged-on user if a specially crafted file in opened in one of the affected Office components. The good news is that the vulnerability can’t be exploited via email itself; the user would have to open an attachment. An exploit could also be carried out by convincing a user to download and open a malicious file from a web site.

The update fixes the problem by changing the way Microsoft Office parses these specially crafted files.

MS14-070 (KB2989935) This update addresses a vulnerability in TCP/IP that was publically disclosed. It only affects Windows Server 2003 SP 2 (x86, x64 and Itanium editions) and is rated important for affected systems. Other versions of Windows Server are not affected.

The vulnerability addressed by this update occur during TCP/IP input/output control processing and an attacker could exploit it to cause an elevation of privilege by logging onto the system and running a specially crafted application.

The update fixes the problem by changing the way the TCP/IP stack in Windows Server 2003 handles objects in memory during the IOCTL processing.

MS14-071 (KB3005607) This update addresses one privately reported vulnerability in the Windows Audio service that affects all currently supported versions of the Windows client and server operating system, including Windows RT.  The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited to allow an elevation of privilege when an application uses the Windows Audio service. It does not allow for remote execution of code.

The update fixes the problem by adding more permission validations to the Windows Audio service.

MS14-072 (KB3005210) This update addresses one privately reported vulnerability in the .NET Framework that affects versions 1.1 SP1 through 4.5.2, running on all currently supported versions of the Windows client and server operating systems, including Windows RT and server core installations. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited by sending specially crafted data to an affected Windows computer that uses .NET Remoting, which is a technology that simplifies how applications communicate and share objects with each other. Only custom applications that use .NET Remoting are vulnerable. An attacker who successfully exploits the vulnerability could gain an elevation of privilege. The good news is that .NET Remoting is not widely used and thus most applications aren’t vulnerable.

The problem is caused by the way .NET Framework handles the TypeFilterLevel checks for malformed objects. The update fixes the problem by properly enforcing security controls for application memory.

MS14-073 (KB3000431) This update addresses a privately reported vulnerability in Microsoft SharePoint Server that affects SharePoint Foundation 2010 SP2. Other versions of SharePoint Server are not affected.

The vulnerability addressed by this update could be exploited by an attacker by hosting a specially crafted web site and convincing users to view the site, or by taking advantage of legit web sites that allow user-provided content or ads. A successful exploit could be used to elevate privileges and run arbitrary code with the rights of the logged-in user.

The problem is caused by improper sanitization of page content in SharePoint lists. The update fixes the problem by correcting the way SharePoint sanitizes modified lists in the SharePoint mobile browser view.

MS14-074 (KB3003743) This update addresses a privately reported vulnerability in the Remote Desktop Protocol (RDP) that could allow the bypass of security features in all currently supported versions of Windows client and server operating systems, including Windows RT and the server core installations. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited to allow an attacker to bypass the audit logon security feature. If used in conjunction with the exploit of another vulnerability, arbitrary code execution could occur.

The problem occurs when RDP doesn’t properly log failed logon attempts. The update fixes the problem by correcting the way RDP handles authentication and logging.

MS14-076 (KB2982998) This update addresses one privately reported vulnerability in Internet Information Services (IIS) that could allow bypass of security features in IIS 8.0 or 8.5 running on Windows 8/8.1 and Windows Server 2012/2012 R2 systems. IIS running on other versions of Windows is not affected.

The vulnerability addressed by this update could be exploited to enable clients from restricted or blocked domains to access restricted web resources hosted on web servers running the affected versions of IIS.

The problem involves the way IIS handles requests when specific IP and domain restriction configurations exist. The update fixes the problem by changing the way inbound web requests are compared to the allow/deny list that is maintained by the IP and domain restrictions components, a feature provided in the IP Security sub-component of IIS for controlling access to web resources.

MS14-077 (KB3003381) This update addresses one privately reported vulnerability in Active Directory Federation Services (AD FS) that could result in information disclosure on servers running AD FS 2.0, 2.1 and 3.0 on Windows Server 2008/2008 R2 or Windows Server 2012/2012 R2, including the server core installation of Server 2012 R2. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited to allow for disclosure of information if a user leaves the web browser open after logging off from an application. The attacker would have to immediately reopen the application in the browser after the user logs off.

The problem occurs because AD FS fails to properly log off a user. The update fixes the problem by ensuring that the logoff process properly logs off the user.

MS14-078 (KB3005210) This update addresses a single privately reported vulnerability in the Japanese version of the Microsoft Input Method Editor (IME). It affects systems running Windows Vista,
Windows 7, Server 2003 and 2008/2008 R2, including the server core installation, and Microsoft Office 2007 IME (Japanese). Office 2012 IME (Japanese) on Windows 7 SP 1 is also affected. The severity rating is moderate across the board. Note that only the Japanese implementation is vulnerable, although you might be offered the update if you have a different IME installed.

The vulnerability addressed by this update could be exploited to escape the sandbox of a vulnerable application and gain access to the system with the same rights as the logged-on user. The good news is that an attacker can’t exploit the vulnerability without authenticated write access to the system (it can’t be exploited by an anonymous user).

The problem occurs because of the way the dictionary files associated with the vulnerability are loaded. The update fixes the problem by correcting the way the IME Japanese dictionary files load. Also note that if you can’t install the update, a workaround is to use the Enhanced Mitigation Experience Toolkit (EMET). Microsoft provides instructions in Security Bulletin MS14-078.

MS14-079 (KB3002885) This update addresses one privately reported vulnerability in the kernel mode driver of all supported versions of Windows client and server operating systems, including Windows RT and the server core installations. The rating is moderate for all affected systems.

The vulnerability addressed by this update could be exploited to create a denial of service when an attacker puts a specially crafted TrueType font on a network share and the user accesses it via Windows Explorer. An exploit can also be accomplished through a malicious web site or a legit site that allows user-provided content. Finally, the malicious file could also be sent as an email attachment.

The problem involves the way the Windows kernel mode driver validates array indexing when loading TrueType fonts. The update fixes the problem by ensuring proper validation. If you are unable to install the update, there are workarounds to deny access to T2EMBED.DLL via the command line, but note that this will cause applications that rely on embedded font technology to display improperly.