November 2014 – Microsoft Patch Tuesday

Debra Littlejohn Shinder on November 12, 2014

In the words of rock star Tom Petty, the waiting is the hardest part. Let’s hope that proves to be true in regard to this month’s gargantuan patch release. Now the wait is over, and it’s time to get busy downloading, testing, evaluating and rolling them out to your Windows machines.

Since the advance notification last Thursday, we’ve thought that we were looking at a 16 updates coming down the pike today. Microsoft threw us a bit of a curve, releasing “only” 14 of the patches, with two – MS14-068 and MS14-075 – deferred with the label “Release date to be determined”.

Four of the 14 released today are rated critical and all of those address remote code execution vulnerabilities. In all, 33 vulnerabilities are patched by these updates. Not everyone will be affected by all of these vulnerabilities. Several are application-specific and will impact only those who, for example, host IIS 8.0/8.5 web sites, use Active Directory Federation Services (AD FS) or have the Japanese version of IME installed. Others will hit almost everybody, such as the vulnerabilities in the TCP/IP stack and the .NET Framework.

There’s only one Office patch in this mass of updates, and it only affects Word 2007 (along with the Compatibility Pack and Word Viewer). That’s a good thing, considering there seems to have been a recent pattern of Office patches causing functionality problems.

For the full details about today’s patches, see the November Security Bulletin Summary on Microsoft’s Technet web site. Meanwhile, let’s summarize each of the updates.

Critical

MS14-064 (KB3011443) This update addresses a pair of vulnerabilities in Windows Object Linking and Embedding (OLE), which could result in remote code execution. It applies to all currently supported versions of Windows client and server operating systems, including Windows RT and including the server core installations of Windows Server 2008/2008 R2 and 2012/2012 R2.

An exploit would involve the user viewing a specially maliciously crafted web page via Internet Explorer; the attacker would obtain the same rights as the user. If UAC is enabled, it would normally display a prompt before executing the exploit file.

The update fixes the problems by changing the way the OS validates the use of memory in regard to access of OLE objects and also corrects the way IE handles objects in memory.

MS14-065 (KB3003057) This is another cumulative security update for Internet Explorer, which has become pretty much a monthly occurrence. It applies to all supported versions of IE, versions 6 through 11, on all supported Windows client and server operating systems. Of course the server core installations are not affected since they don’t run the web browser. While the rating is critical on Windows client operating systems, it’s moderate on Windows Server.

The update addresses seventeen different vulnerabilities that have been reported privately to Microsoft. The most severe could allow remote execution of code when viewing a specially crafted malicious web page. The vulnerabilities include multiple memory corruption issues, an information disclosure vulnerability in IE clipboard, an ASLR bypass, cross-domain information disclosure issues and two elevation of privilege vulnerabilities.

The update fixes the problem by changing the way IE handles objects in memory and by adding more permissions validations. It also helps to ensure that IE properly implements ASLR (Address Space Layout Randomization).

MS14-066 (KB2992611) This update patches a vulnerability in Secure Channel (Schannel), which is a security provider that contains a set of security protocols that provide identity authenticationand secure private communication for Internet applications using SSL and TLS. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT and the server core installations. It’s rated critical across all OS versions.

The update addresses a single privately reported vulnerability, an exploit of which could result in remote code execution. An attacker could exploit the vulnerability by sending specially crafted packets to a Windows computer.

The update fixes the problem by changing the way Windows sanitizes specially crafted packets. Also note that in addition to fixing this issue, the update also makes changes to available TLS cipher suites to include new suites that provide for stronger encryption.

MS14-067 (KB2993958) This update addresses a single privately reported vulnerability in XML Core Services. It applies to all currently supported versions of the Windows client and server operating system, including Windows RT and the server core installations, but is rated critical only for the client OS; the rating is downgraded to moderate for the server operating systems.

The vulnerability addressed by the update cold be exploited when a user visited a specially crafted web site that invokes Microsoft XML Core Services (MSXML) via IE. This could allow the attacker to remotely execute code.

The problem stems from the way XML content is handled by MSXML, which can result in corruption of the system state. The update fixes the problem by change the way MSXML parses XML content. Note that if you can’t apply the update, Microsoft also provides a workaround to prevent MSXML 3.0 binary behaviors from being used in IE, which involves editing the registry. You can find the instructions for the workaround in Security Bulletin MS14-067.

Important

MS14-069 (KB3009710) This update addresses three vulnerabilities in Microsoft Office that affect Microsoft Word 2007 SP 3, Microsoft Word Viewer and the Microsoft Office Compatibility Pack 3. Other versions of Microsoft Word and other Office programs are not affected. The severity rating is important for all affected components.

The vulnerabilities addressed by this update could be exploited to gain the same user rights as the logged-on user if a specially crafted file in opened in one of the affected Office components. The good news is that the vulnerability can’t be exploited via email itself; the user would have to open an attachment. An exploit could also be carried out by convincing a user to download and open a malicious file from a web site.

The update fixes the problem by changing the way Microsoft Office parses these specially crafted files.

MS14-070 (KB2989935) This update addresses a vulnerability in TCP/IP that was publically disclosed. It only affects Windows Server 2003 SP 2 (x86, x64 and Itanium editions) and is rated important for affected systems. Other versions of Windows Server are not affected.

The vulnerability addressed by this update occur during TCP/IP input/output control processing and an attacker could exploit it to cause an elevation of privilege by logging onto the system and running a specially crafted application.

The update fixes the problem by changing the way the TCP/IP stack in Windows Server 2003 handles objects in memory during the IOCTL processing.

MS14-071 (KB3005607) This update addresses one privately reported vulnerability in the Windows Audio service that affects all currently supported versions of the Windows client and server operating system, including Windows RT. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited to allow an elevation of privilege when an application uses the Windows Audio service. It does not allow for remote execution of code.

The update fixes the problem by adding more permission validations to the Windows Audio service.

MS14-072 (KB3005210) This update addresses one privately reported vulnerability in the .NET Framework that affects versions 1.1 SP1 through 4.5.2, running on all currently supported versions of the Windows client and server operating systems, including Windows RT and server core installations. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited by sending specially crafted data to an affected Windows computer that uses .NET Remoting, which is a technology that simplifies how applications communicate and share objects with each other. Only custom applications that use .NET Remoting are vulnerable. An attacker who successfully exploits the vulnerability could gain an elevation of privilege. The good news is that .NET Remoting is not widely used and thus most applications aren’t vulnerable.

The problem is caused by the way .NET Framework handles the TypeFilterLevel checks for malformed objects. The update fixes the problem by properly enforcing security controls for application memory.

MS14-073 (KB3000431) This update addresses a privately reported vulnerability in Microsoft SharePoint Server that affects SharePoint Foundation 2010 SP2. Other versions of SharePoint Server are not affected.

The vulnerability addressed by this update could be exploited by an attacker by hosting a specially crafted web site and convincing users to view the site, or by taking advantage of legit web sites that allow user-provided content or ads. A successful exploit could be used to elevate privileges and run arbitrary code with the rights of the logged-in user.

The problem is caused by improper sanitization of page content in SharePoint lists. The update fixes the problem by correcting the way SharePoint sanitizes modified lists in the SharePoint mobile browser view.

MS14-074 (KB3003743) This update addresses a privately reported vulnerability in the Remote Desktop Protocol (RDP) that could allow the bypass of security features in all currently supported versions of Windows client and server operating systems, including Windows RT and the server core installations. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited to allow an attacker to bypass the audit logon security feature. If used in conjunction with the exploit of another vulnerability, arbitrary code execution could occur.

The problem occurs when RDP doesn’t properly log failed logon attempts. The update fixes the problem by correcting the way RDP handles authentication and logging.

MS14-076 (KB2982998) This update addresses one privately reported vulnerability in Internet Information Services (IIS) that could allow bypass of security features in IIS 8.0 or 8.5 running on Windows 8/8.1 and Windows Server 2012/2012 R2 systems. IIS running on other versions of Windows is not affected.

The vulnerability addressed by this update could be exploited to enable clients from restricted or blocked domains to access restricted web resources hosted on web servers running the affected versions of IIS.

The problem involves the way IIS handles requests when specific IP and domain restriction configurations exist. The update fixes the problem by changing the way inbound web requests are compared to the allow/deny list that is maintained by the IP and domain restrictions components, a feature provided in the IP Security sub-component of IIS for controlling access to web resources.

MS14-077 (KB3003381) This update addresses one privately reported vulnerability in Active Directory Federation Services (AD FS) that could result in information disclosure on servers running AD FS 2.0, 2.1 and 3.0 on Windows Server 2008/2008 R2 or Windows Server 2012/2012 R2, including the server core installation of Server 2012 R2. The severity rating is important across all affected versions.

The vulnerability addressed by this update could be exploited to allow for disclosure of information if a user leaves the web browser open after logging off from an application. The attacker would have to immediately reopen the application in the browser after the user logs off.

The problem occurs because AD FS fails to properly log off a user. The update fixes the problem by ensuring that the logoff process properly logs off the user.

MS14-078 (KB3005210) This update addresses a single privately reported vulnerability in the Japanese version of the Microsoft Input Method Editor (IME). It affects systems running Windows Vista,
Windows 7, Server 2003 and 2008/2008 R2, including the server core installation, and Microsoft Office 2007 IME (Japanese). Office 2012 IME (Japanese) on Windows 7 SP 1 is also affected. The severity rating is moderate across the board. Note that only the Japanese implementation is vulnerable, although you might be offered the update if you have a different IME installed.

The vulnerability addressed by this update could be exploited to escape the sandbox of a vulnerable application and gain access to the system with the same rights as the logged-on user. The good news is that an attacker can’t exploit the vulnerability without authenticated write access to the system (it can’t be exploited by an anonymous user).

The problem occurs because of the way the dictionary files associated with the vulnerability are loaded. The update fixes the problem by correcting the way the IME Japanese dictionary files load. Also note that if you can’t install the update, a workaround is to use the Enhanced Mitigation Experience Toolkit (EMET). Microsoft provides instructions in Security Bulletin MS14-078.

MS14-079 (KB3002885) This update addresses one privately reported vulnerability in the kernel mode driver of all supported versions of Windows client and server operating systems, including Windows RT and the server core installations. The rating is moderate for all affected systems.

The vulnerability addressed by this update could be exploited to create a denial of service when an attacker puts a specially crafted TrueType font on a network share and the user accesses it via Windows Explorer. An exploit can also be accomplished through a malicious web site or a legit site that allows user-provided content. Finally, the malicious file could also be sent as an email attachment.

The problem involves the way the Windows kernel mode driver validates array indexing when loading TrueType fonts. The update fixes the problem by ensuring proper validation. If you are unable to install the update, there are workarounds to deny access to T2EMBED.DLL via the command line, but note that this will cause applications that rely on embedded font technology to display improperly.

About the Author: Debra Littlejohn Shinder

Debra Littlejohn Shinder has been working and writing in the field of IT security since 1998. She’s an author of and contributor to over 25 books on computer technology, including “Scene of the Cybercrime,” based on her previous experience as a police officer and police academy instructor. Deb is owner and CEO of TACteam (Training, Authoring and Consulting) and has contracted with Microsoft, Intel, HP, Prowess Consulting, Sunbelt Software, GFI Software, ConfigureSoft, 2X Software and other software and hardware companies. She currently writes articles and blogs for Windowsecurity.com, WindowsNetworking.com and CloudComputingAdmin.com as well as GFI’s Talk Tech to Me and Patch Central, and has published more than 1800 articles for web sites and print magazines. Deb has been a Microsoft MVP in the area of enterprise security for the past eleven years.

24 Comments

Graeme November 13, 2014 at 1:39 am
My computer automatically installed the Tuesday updat (Nov 12) and now, although it will open and download) I cannot view mail in outlook (script error) nor can I open word or and work documents (I am getting a program is not compatible Error)
Any ideas on how this can be solved?
1. Deb Shinder November 13, 2014 at 4:53 pm
  I haven’t experienced this on any of my machines but since your Microsoft Office programs were affected, I naturally would suspect MS14-069, which was the only Office patch released this time. You didn’t say what version of Office you’re running; the patch was for Office 2007. Assuming you installed it, the first thing I would try would be uninstalling that one. If that fixes your problem, you’ll want to take extra precautions to avoid an exploit of the vulnerability it addresses. That vulnerability is rated important rather than critical because you would have to open an attachment or download a malicious file from a web site to be compromised. So if you uninstall the patch, avoid those behaviors and be sure to log on with standard user rights rather than admin as much as possible to minimize the impact of any exploit.
  Graeme November 13, 2014 at 5:45 pm
  Thanks, figured it out. My anti-virus software allowed most but not all of the components of the patch to be installed. Those parts not installed meant that word was no longer compatible. I uninstalled the viral software, re-installed the patch and then re-installed the virus software and all is good…pain in the butt but good.
  Deb Shinder November 13, 2014 at 5:54 pm
  Excellent. I’m glad you were able to resolve it without going unpatched.
Alan Harrison November 13, 2014 at 7:19 pm
My machine installed all updates this morning automatically. Now I have networking issues. I get an error when I run the network trouble shooter that says “Windows could not automatically detect this network’s proxy settings”. Loads of stuff on internet saying how to fix this but none of it seems to work.
Any ideas?
1. Graeme November 14, 2014 at 4:25 pm
  I would try the same thing that I did. If you are running anti virus siftware. Uninstall it , then go back to windows updates and re-install the update and then see if that works. Then re-instll the anti-virus software.
2. Deb Shinder November 14, 2014 at 8:03 pm
  There’s not really enough information to start to troubleshoot this. You don’t mention which operating system you’re running or at what point you get this error message. Other than MS14-070, none of the other patches this month directly pertain to networking components, and that patch is for Windows Server 2003 only. If that’s your OS, I would try uninstalling that patch.
carolyn November 13, 2014 at 10:00 pm
Since downloading the automatic update yesterday, I cannot open Internet Explorer. I have reset it and looked on line for updates and it will not respond.
I am running Windows 7 and have no other issues but now can only access my Yahoo mail through Safari or Chrome.
How do I get Internet Explorer working again??
Thanks
1. Deb Shinder November 14, 2014 at 8:05 pm
  MS14-065 is a cumulative update for Internet Explorer that addressed seventeen different vulnerabilities, so it made a number of changes to IE. That would be the first suspect when having problems with the browser after the updates. I would probably try rolling this back and reinstalling that patch.
  D Larka December 4, 2014 at 7:05 pm
  For MS14-065 have you heard of anyone not being able to uninstall the patch for IE10? I dont see it showing up in Add remove programs/Programs and Features. and the KB says that it does not have a registry key to show that it is installed.
Bobo November 14, 2014 at 12:33 am
Since the update, my LG laptop w/W7 Premium is now on psychedelics. Lots of wavy rainbow colors on the screenI cant get KB 2978128 to install either
1. Graeme November 14, 2014 at 4:27 pm
  I had that also when trying to send a doc by email….shut it down and retried and it was fine….
2. Deb Shinder November 14, 2014 at 8:07 pm
  That sounds like a video card issue. I would check to see whether a video card update installed along with the security patches, and if so, try uninstalling it.
  Steven November 18, 2014 at 12:39 am
  Also looking for a solution for KB 2978128, I flat out can not get it to install.
Jim Clark November 14, 2014 at 11:05 pm
Our product has been using the IWebBrowser OLE interface for many years but has failed since Cumulative Security Update for Internet Explorer KB3003057. What do we need to do to get this IWebBrowser interface working again.
http://msdn.microsoft.com/en-us/library/aa752127(v=vs.85).aspx
When we try to use the Navigate function it causes general access violations such.
Our code has not changed for several years so must something must have been chainged in the OLE/ActiveX library with this security update patch.
We are getting Access Violations when calling the IWebBrowswer :: Navigate function since this KB3003057 security patch. If I uninstall the patch everything works normally again. When I re-install the KB3003057 patch the problem returns.
All our customers (many different computers in different offices) are getting this problem once they pick up the update. It is not specific to a particular computer and we are seeing it on Windows 7 and also Windows 8.
Thanks in advance for any advise you can offer.
Thanks,
Jim Clark
1. Deb Shinder November 18, 2014 at 4:40 pm
  I am hearing reports of other problems with MS14-065 (KB3003057) and given the consistency of your problem across different machines and the fact that uninstalling fixes the problem, it appears there is an incompatibility between KB3003057 and the iWebBrowser interface (I know that’s obvious without my telling you). The only thing I know to do is pass the information along to Microsoft, which I’m doing, and urge you to do so as well – the more feedback they get about a patch problem, the more quickly they’re likely to fix it. If I get word of a solution, I’ll publish it here in the blog.
Curtis Simpson November 17, 2014 at 4:37 pm
I have deployed windows8.1-kb2992611-x64 to Windows 8.1 touchscreen laptop devices. On start-up after the patch installation, all the devices open OneDrive and OneNote. Is this expected behaviour?
1. Deb Shinder November 18, 2014 at 4:44 pm
  This patch is causing a variety of major problems with performance, error messages and functionality with some browsers. See http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html . I hope Microsoft will pull this patch and reissue soon.
Santu Roy November 18, 2014 at 8:33 am
Last Saturday i was install MS14-070 (KB2989935) on my test server windows 2003 sp2 R2 . after install the windows security patch (KB2989935) my websphere application server version 7 is not working properly (Malfunctioning) after start the websphere service within 5 minutes it will stop so i was uninstall (KB2989935) it is working fine. so give me the solution for this .
1. Deb Shinder November 18, 2014 at 4:48 pm
  At this point, the only solution is to uninstall the patch and wait for a revised update or hot fix. This update is not rated critical, and that’s because the attacker has to be logged onto the system to exploit this vulnerability.
Upset December 3, 2014 at 12:47 pm
KB3005607 fails to instal on my win 8 machine
🙁
sam mullings December 9, 2014 at 5:43 pm
I have an update from November that fails (kb2976536), tried everything but it still fails
I have tried updating it manually – fails
DISM and WindowsUpdateDiagnosticdiagcab – finds no issues
Also tried cleaning her windows update folder
Disabled the antivirus and all start up programs
Ran SFC /SCANNOW – comes up clean
Jeff James December 18, 2014 at 9:25 pm
Like everyone else – on shutdown, my PC keeps ‘installing 1 of 1’ which is KB2978128.
It just will not install – tried manually.
Can I find somewhere to delete this update, so that the PC doesn’t keep on trying?
1. Deb Shinder December 19, 2014 at 6:12 pm
  To delete an update that won’t install, in Windows Updates review the list of updates waiting to be installed on your computer. When you spot one of the updates that will not install, click the plus-sign button next to it to expand the options. Click the box next to the phrase “Don’t show this update again.”
  Read more : http://www.ehow.com/how_5076548_delete-windows-updates-wont-install.html

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.