Microsoft released 14 security updates last night, nine of which were rated as critical.
Addressing 33 Common Vulnerabilities and Exposures (CVEs) in Windows, Internet Explorer, Office, .NET Framework and Remote Desktop Protocol.
Russ Ernst, director of product management at Lumension, said: “While we enjoyed a relatively low number of patches each month so far this year, November definitely takes a big jump up with 14 total bulletins released today: four are critical, eight important and two moderate.
“While this is two less than what we thought we would have today according to last week’s ANS, we still have to go back to September of last year for the last time Microsoft released this many bulletins in a single month. The good news however is the CVE count. Just 33 CVEs means fewer opportunities for the bad guys but because the software impacted is widespread, this Patch Tuesday is still a lot of work for IT.”
Since the patch was released, Microsoft revealed that MS14-064 should be the first priority patch as it is currently being exploited in the wild. This bulletin addresses 2 CVEs in a Windows OLE component that could allow a remote code execution.
Wolfgang Kandek, CTO of Qualys, said: “The most important bulletin, MS14-064, addresses a current 0-day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been abusing the vulnerability to gain code execution by sending PowerPoint files to their targets.
“Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary patch in the form of a FixIt. This is the final fix for OLE Packager (Microsoft had patched the same software in October already with MS14-060 ) that should address all known exploit vectors.”
Craig Young, security researcher at Tripwire, said: “Some administrators may want to prioritise this over the Internet Explorer patch, even though we’ve seen attacks we’ve seen in the wild against the browser. This is because MS14-066 has the potential to be exploited without user-interaction.
“Fortunately Microsoft’s assessment is that reliable exploitation of this bug will be tricky. Hopefully, this will give admins enough time to patch their systems before we see exploits.”
Among other patches, Kandek recommened next looking at MS14-066, a patch for Internet Explorer that addresses 17 vulnerabilities. “The most severe of these vulnerabilities could be used to gain control over the targeted machine,” he said.
“An attack will take the form of a malicious webpage that the targeted user has to browse to. There are two basic scenarios that attackers use frequently: in the first the user browses to the site by their own volition, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “Every supported version of Windows is impacted by the critical issues, with the minor exception of Server Core not having Internet Explorer exposure. Perimeter systems are often mission critical and need the fastest attentions. Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”