Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerability that was the result of an insufficient fix for CVE-2014-4114, the vulnerability that was exploited by Sandworm.
Next up is MS14-065, the monthly IE bulletin. This month it fixes a total of 17 CVEs in IE6 to IE11. All these bugs were privately reported to Microsoft, so they are not being actively exploited. As has been the case for the last while, the majority of the vulnerabilities are the results of use-after-free errors and exploitation can result in remote code execution.
MS14-066 covers a single CVE, CVE-2014-6321, in Microsoft’s Secure Channel security package in Windows, which provides security protocol support for applications. While it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses.
Next up are the eight important bulletins for a total of ten CVEs. Five of these CVEs can result in an escalation of privileges, three can result in remote code execution, while one allows for a bypass of security features and finally, there is one information disclosure:
The first important bulletin is MS14-069. It fixes three vulnerabilities in Microsoft office. All three can result in remote code execution if exploited. The three vulnerabilities are the result of a double free (CVE-2014-6333) and two out of bounds errors (CVE-2014-6334 and CVE-2014-6335).
CVE-2014-6322 is addressed by MS14-071 and is the result of an attack where the Windows Audio Service will read symbolic links in the registry from a low integrity process, allowing the process to potentially escape the sandbox.
A cross site scripting vulnerability in Sharepoint (CVE-2014-4116) is fixed by MS14-073. The vulnerability can result in an escalation of privileges that can only be exploited by an authenticated user.
There’s also a vulnerability (CVE-2014-4078) in Microsoft’s Internet Information Services (IIS) that is resolved by MS14-076. The vulnerability can lead to a bypass of the “IP and domain restrictions” security feature and can occur when the Domain Name Restriction white- and blacklists contain entries with wildcards.
That brings us to the last two bulletins for this month, which are rated moderate provide fixes for two CVEs:
The following SIDs address these issues:
7070, 32186-32187, 32251-32259, 32313-32316, 32404-32423, 32426-32443, 32458-32461, 32470-32479, 32489-32492, 32489-32492, 32497-32500, 32518-21519
Related items: Cisco Legacy IPS