This post was authored by Yves Younan.

Today, Microsoft is releasing their final Update Tuesday of 2014. Last year, the end of year update was relatively large. This time, it’s relatively light with a total of seven bulletins, covering 24 CVEs. Three of those bulletins are rated critical and four are considered to be important. Microsoft has made a few changes to the way they report their bulletins. Microsoft has dropped the deployment priority (DP) rating, which was very much environment-specific and might not be all that useful for non-default installations. Instead, they are now providing an exploitability index (XI), which ranges from zero to three. With zero denoting active exploitation and three denoting that it’s unlikely that the vulnerability would be exploited. Another change is to more clearly report on how the vulnerability was disclosed: was Microsoft notified via coordinated vulnerability disclosure or was the vulnerability publicly known before being released?

The first bulletin is MS14-075, which is one of the two bulletins that was postponed last month, it is rated as important. While MS14-068, which also slipped, was released a few days later, MS14-075 had to wait for the December update. It fixes four vulnerabilities in Exchange that could allow for elevation of privileges and has an XI of two. Two of the vulnerabilities (CVE-2014-6325 and CVE-2014-6326) are cross site scripting vulnerabilities. One vulnerability, CVE-2014-6319, relates to outlook web access token spoofing, while the last one, CVE-2014-6336, is a URL redirection vulnerability in Exchange.

Our next bulletin, MS14-080, is the first critical bulletin of the month and is the requisite IE bulletin with an XI of one. It fixes a total of 13 CVEs, one of which (CVE-2014-6363) it shares with bulletin MS14-084. Three of these vulnerabilities are security feature bypasses: two bypass the XSS filter (CVE-2014-6328 and CVE-2014-6365), while the other is an ASLR bypass (CVE-2014-6368). The remaining ten are memory corruption vulnerabilities, many of which are once again use-after-frees, although there are also a couple of buffer overflows this month.

This brings us to the third bulletin and second critical bulletin for this month, MS14-081. This bulletin is for Word and Office Web Apps and covers two CVEs with an XI of one. The first vulnerability, CVE-2014-6356, is a buffer overflow that could allow for remote code execution when a user opens a maliciously crafted file. The second vulnerability is due to a use-after-free (CVE-2014-6357) and can also be exploited if a user opens a specially crafted file.

Our fourth bulletin this month is MS14-082 for Office. It covers a single vulnerability (CVE-2014-6364) and is rated important with an XI of one. As with the previous bulletin, this vulnerability is the result of a use-after-free and can be exploited if a user is tricked into opening a maliciously crafted Office file.

MS14-083 is rated important and fixes two vulnerabilities in Excel that have an XI of two. As with the previous two bulletins, one vulnerability (CVE-2014-6360) is the result of a use-after-free vulnerability, where a maliciously crafted file would be used to exploit the vulnerability. The second vulnerability (CVE-2014-6361) is due to type confusion and also requires a maliciously crafted file to be opened.

Our sixth bulletin and final critical bulletin of the year is MS14-084 and is the VBScript bulletin that shares its single CVE, CVE-2014-6363, with the IE bulletin. It has an XI of two and is the result of a use-after-free vulnerability in the VBScript engine.

Finally, the last Microsoft bulletin of 2014 is MS14-085 which covers a single publicly disclosed vulnerability (CVE-2014-6355) in Microsoft Graphics Component. It is rated as important with an XI of two. The vulnerability is a simple information disclosure that could be used to gather information on the stack, potentially allowing an attacker to bypass ASLR.

That sums it up for 2014. Anecdotally, without digging into the data, it looks like this year may have had use-after-free vulnerabilities as the most-fixed vulnerability in Microsoft bulletins.

Talos is releasing the following signatures to deal with these vulnerabilities: SIDs 32507, 32679-32705, 32707-32714 and 32718-32725.

Related items: Cisco Legacy IPS


Talos Group

Talos Security Intelligence & Research Group