Microsoft released seven security updates last night, with three rated as critical and re-released patches issued for Explorer and Schannel flaws.
Russ Ernst, director of product management at Lumension, said that the re-release of MS14-066 and MS14-065, which were originally released in November, gives users the opportunity to re-apply them due to the change in package, especially as the “Schannel” vulnerability proved to be a bit of a problem-child for some IT departments last month when Microsoft revised the bulletin to include support for Windows Server 2008 R2 and Windows Server 2012.
Craig Young, security researcher at Tripwire, said: “Many frustrated admins still suffering from ill-effects from Microsoft’s botched (but critical) SChannel update will be getting an early Christmas present this year with a re-release of the MS14-066 patch. Initially released last month, the patches caused a variety of TLS connection woes. With denial-of-service exploit code available, it’s critical that all systems receive this patch ASAP.
“This issue can be exploited with an HTTPS request or remote desktop connection providing a maliciously crafted certificate for authentication. Unlike other RDP vulnerabilities disclosed in recent years, the use of NLA does not mitigate this vulnerability at all because it’s exploited during the SSL/TLS handshake. The only saving grace for enterprises is that achieving reliable code execution is not a trivial task.”
This month’s patch bundle covers 24 common vulnerabilities and exploits (CVE). Ernst said: “In December, IT efforts will largely focus on the desktop. There are 24 CVEs to be covered off in December, none under active attack at this point. First on your list of priorities should be the cumulative update for all versions of Internet Explorer in MS14-080. This includes fixes for 14 CVEs of which one CVE is shared with another critical ranked bulletin, MS14-084 for a vulnerability in VBScript.”
Karl Sigler, threat intelligence manager at Trustwave, said: “This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
“This security update affects Internet Explorer 6 through Internet Explorer 11 on affected Windows cl
ients and servers.”
MS14-081 is also marked Critical. Ross Barrett, senior engineering manager at Rapid7, said: “In most cases this type of issue would only be important, because typically a document format use-after-free issue requires user interaction to exploit, but in this case because of the potential for exploitation through Sharepoint Web Apps the risk is greater.”
The final critical patch is MS14-084, a vulnerability in the VBScript scripting engine which could allow remote code execution. Sigler said: “This vulnerability could allow remote code execution if a user visits a specially crafted website with Internet Explorer. It could also be exploited via a specially crafted Office document designed to invoke the IE rendering engine. The security update addresses the vulnerability by modifying how the VBScript scripting engine handles objects in memory.
“This security update is rated Critical for affected versions of the VBScript scripting engine on affected Windows clients and Moderate for affected versions of the VBScript scripting engine on affected Windows servers.”
Also released this month, and delayed from November is MS14-075 covering four CVEs in all supported versions of MS Exchange. Barrett said: “This patch addresses two Outlook Web Access Cross Site Scripting issues, a web application token spoofing issue, and an issue with Exchange URL redirection.
“Even though only tagged important, the presence of MS Exchange on the perimeter and the potential for this type of attack to be combined with stolen credentials and other malicious behaviour will make it a patching priority.”