This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for November 2014.
The folks at the Microsoft Security Response Center (MSRC) have been busy, cranking out updates for Windows, Internet Explorer, Office, .Net Framework, and SharePoint Server. The initial advance notification for November that Microsoft sent out on November 6th said that we should expect 16 patches, but 2 of those patches (MS14-068 and MS14-075) were not released on November 11th and have their release date marked as “to be determined”. Administrators should keep an eye out for those updates…they may be released out-of-band or held until the December Patch Tuesday release.
This month we have a total of fourteen (14) security updates from Microsoft. Four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The four (4) Critical vulnerabilities this month affect Internet Explorer and Windows. There are eight (8) that are rated Important and two (2) that are rated Moderate.
Clarification of the McAfee Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list McAfee products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a McAfee product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS14-064 (CVE-2014-6332 & CVE-2014-6352)
This Critical update addresses two (2) different vulnerabilities in Windows Object Linking and Embedding (OLE). For both of these vulnerabilities, an attacker would need to convince a user to open a specially crafted document or visit a compromised or untrusted website. This is a common theme throughout many vulnerabilities, so we’ll reinforce the need for good web browsing habits, good email hygiene, and use of proper security tools. For both of these vulnerabilities, attackers could gain the same user rights as the currently logged on user. This reinforces a security best practice of not operating with administrative permissions, as users configured with fewer rights will likely have less exposure. This update has broad coverage across Windows versions and is highly recommended for administrators to aggressively deploy.
MS14-065 (CVE-2014-4143, CVE-2014-6323, CVE-2014-6337, CVE-2014-6339 through CVE-2014-6351, and CVE-2014-6353)
Here’s our standard cumulative security update for Internet Explorer in the patch Tuesday updates. This one resolves seventeen (17) vulnerabilities in Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have this vulnerability, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Ten (10) of these vulnerabilities are Internet Explorer Memory Corruption Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Two (2) of the vulnerabilities are classified as Elevation of Privilege. Since they are Elevation of Privilege vulnerabilities, an attacker would need to combine these with a Remote Code Execution vulnerability to get arbitrary code to run.
- Three (3) of the vulnerabilities are classified as Information Disclosure. They are problems with Internet Explorer’s cross-domain policies. An attacker would need to host a website that exploits these vulnerabilities, and could gain access to information from another domain.
- The remaining two (2) vulnerabilities are a Clipboard Information Disclosure vulnerability and an ASLR Bypass Vulnerability.
- Similarly to last month, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
As you can see by the number of CVE’s that are listed, there are many individual threats that are wrapped together in this individual bulletin. The McAfee Labs Threat Advisories break down the individual threats, which McAfee products are Covered Products, and which McAfee products are Under Analysis.
This security update addresses a vulnerability in the Microsoft Secure Channel (Schannel) security package that is part of Windows. It is a Remote Code Execution vulnerability that exists because the Schannel security package is improperly processing specially crafted packets. The Schannel component exists in both workstation and server versions of Microsoft Windows.
An interesting note about this update is that it introduces new capabilities in the Schannel component. It adds four (4) new TLS cipher suites, each of which operate in Galois-Counter-Mode (GCM). Galois-Counter-Mode provides authenticated encryption by utilizing a block cipher mode of operation which uses universal hashing over a binary Galois field. Very cool “math geek” stuff in field theory here…
Here we have a vulnerability in the XML Core Services component in Microsoft Windows. Note that while certain versions of the Microsoft XML Core Services are included in Microsoft Windows, others are bundled with additional software from Microsoft or other companies or available as separate downloads. The Microsoft bulletin provides more information on the XML Core Services versions and how they can be obtained. This is a Remote Code Execution vulnerability that results when the XML Core Services improperly parses XML content. Just like other vulnerabilities, an attacker would need to convince a user to visit a compromised website or get them to open an attachment sent via email. Overall, this is a Critical vulnerability that should be aggressively patched.
MS14-069 (CVE-2014-6333, CVE-2014-6334, & CVE-2014-6335)
This security update is for three (3) vulnerabilities in Microsoft Office 2007 Service Pack 3, the Microsoft Word Viewer, and the Microsoft Office Compatibility Pack Service Pack 3. All three (3) of these vulnerabilities are Remote Code Execution. Each of these vulnerabilities was privately reported to Microsoft. The versions of Microsoft Office that are affected are very specific; others that aren’t listed in the bulletin are not affected.
The Windows TCP/IP stack has a publically reported vulnerability that occurs during input/output control (IOCTL) processing. At attacker would need to be logged on to a system and then run a specially crafted application that exploits this vulnerability. It ONLY affects supported editions of Windows Server 2003, so later versions of Windows Server and the Workstation versions don’t have this vulnerability.
This vulnerability is an Elevation of Privilege in the Microsoft Windows Audio Service. Like other Elevation of Privilege vulnerabilities, by itself it does not allow arbitrary code to run. An attacker would need to combine this vulnerability with a Remote Code Execution vulnerability. An application that uses the Windows Audio Service could potentially allow a script to run under specific conditions. It covers a wide amount of Windows versions, including both Server and Workstation SKU’s.
Multiple versions of the Microsoft .NET Framework have an Elevation of Privilege vulnerability that occurs if an attacker sends specially crafted data to a machine that is using .NET Remoting. Applications have to be specifically written to utilize .NET Remoting, which does lessen the reach of this vulnerability. Because this vulnerability is in multiple versions of the .NET Framework and any given Windows system could have several versions of the .NET Framework installed, there may be several updates that need to be applied. Any affected version of the .NET Framework will require a patch to address this vulnerability.
SharePoint Server 2010 Service Pack 2 has a vulnerability that allows an authenticated attacker to potentially run arbitrary script in the context of the authenticated account on a SharePoint site. This vulnerability exists because the affected version of SharePoint Server does not properly sanitize page content in SharePoint lists. Note that a very specific version of SharePoint Server has this vulnerability, other versions are not affected.
Here we have a vulnerability in the Remote Desktop Protocol (RDP) that allows a Security Feature Bypass. Only systems with RDP enabled are affected. Note that RDP is NOT enabled by default on any version of Windows. Since this is a Security Feature Bypass vulnerability, it would need to be combined with another vulnerability to allow an attacker to execute arbitrary code.
Internet Information Services (IIS) has a security feature called “IP and domain restrictions” that prevents clients from restricted or blocked domains or IP address ranges from accessing IIS. Successful exploitation of this vulnerability could lead to a bypass of this security feature. Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 machines that are utilizing Internet Information Services (IIS) and the “IP and domain restrictions” feature are affected.
This vulnerability is an Information Disclosure bug in Active Directory Federation Services (ADFS). If you’re using ADFS, please check the bulletin for the specific versions of ADFS and Windows Server that are affected. Microsoft has rated this security update as Important.
The Microsoft Input Method Editor (IME) (Japanese) has a vulnerability that could allow sandbox escape of a vulnerable application. An attacker could potentially use this vulnerability to gain access to the affected system with logged-in user rights. Only machines with the IME (Japanese) component installed are affected.
Lastly, a vulnerability exists in a kernel-mode driver in Windows that could allow a denial of service. This attack vector is very specific: an attacker needs to place a specially crafted TrueType font file on a network share and then a user with a vulnerable machine needs to navigate there in Windows Explorer. Microsoft has listed this update as Moderate.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Bonus Vulnerability Coverage: Just like last month, here’s a bonus vulnerability. Although not technically listed as a Microsoft Security Bulletin, Microsoft updated Microsoft Security Advisory 2755801 in November to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB14-24.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for November 2014 at the Microsoft site.
Until next month…stay safe!