Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 30 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Final Microsoft updates sees re-released patches and three critical fixes

by The Gurus
December 10, 2014
in Editor's News
patch
Share on FacebookShare on Twitter

Microsoft released seven security updates last night, with three rated as critical and re-released patches issued for Explorer and Schannel flaws.
 
Russ Ernst, director of product management at Lumension, said that the re-release of MS14-066 and MS14-065, which were originally released in November, gives users the opportunity to re-apply them due to the change in package, especially as the “Schannel” vulnerability proved to be a bit of a problem-child for some IT departments last month when Microsoft revised the bulletin to include support for Windows Server 2008 R2 and Windows Server 2012.
 
Craig Young, security researcher at Tripwire, said: “Many frustrated admins still suffering from ill-effects from Microsoft’s botched (but critical) SChannel update will be getting an early Christmas present this year with a re-release of the MS14-066 patch. Initially released last month, the patches  caused a variety of TLS connection woes.  With denial-of-service exploit code available, it’s critical that all systems receive this patch ASAP.
 
“This issue can be exploited with an HTTPS request or remote desktop connection providing a maliciously crafted certificate for authentication.  Unlike other RDP vulnerabilities disclosed in recent years, the use of NLA does not mitigate this vulnerability at all because it’s exploited during the SSL/TLS handshake.  The only saving grace for enterprises is that achieving reliable code execution is not a trivial task.”
 
This month’s patch bundle covers 24 common vulnerabilities and exploits (CVE). Ernst said: “In December, IT efforts will largely focus on the desktop. There are 24 CVEs to be covered off in December, none under active attack at this point. First on your list of priorities should be the cumulative update for all versions of Internet Explorer in MS14-080. This includes fixes for 14 CVEs of which one CVE is shared with another critical ranked bulletin, MS14-084 for a vulnerability in VBScript.”
 
Karl Sigler, threat intelligence manager at Trustwave, said: “This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
 
“This security update affects Internet Explorer 6 through Internet Explorer 11 on affected Windows cl
ients and servers.”

 
MS14-081 is also marked Critical. Ross Barrett, senior engineering manager at Rapid7, said: “In most cases this type of issue would only be important, because typically a document format use-after-free issue requires user interaction to exploit, but in this case because of the potential for exploitation through Sharepoint Web Apps the risk is greater.”
 
The final critical patch is MS14-084, a vulnerability in the VBScript scripting engine which could allow remote code execution. Sigler said: “This vulnerability could allow remote code execution if a user visits a specially crafted website with Internet Explorer. It could also be exploited via a specially crafted Office document designed to invoke the IE rendering engine. The security update addresses the vulnerability by modifying how the VBScript scripting engine handles objects in memory.
 
“This security update is rated Critical for affected versions of the VBScript scripting engine on affected Windows clients and Moderate for affected versions of the VBScript scripting engine on affected Windows servers.”
 
Also released this month, and delayed from November is MS14-075 covering four CVEs in all supported versions of MS Exchange. Barrett said: “This patch addresses two Outlook Web Access Cross Site Scripting issues, a web application token spoofing issue, and an issue with Exchange URL redirection.
 
“Even though only tagged important, the presence of MS Exchange on the perimeter and the potential for this type of attack to be combined with stolen credentials and other malicious behaviour will make it a patching priority.”

FacebookTweetLinkedIn
Tags: MicrosoftPatchVulnerabilityWindows
ShareTweetShare
Previous Post

Businesses fail to balance employee access and security demands

Next Post

Tripwire set to be acquired for $710 million

Recent News

cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023
Outside of cinema with advertising

Back and Bigger Than Ever! The Inside Man Season 5 Takes a Stab at Power Hungry Adversaries

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information