As expected, Microsoft has published a large number of security bulletins in its November 2014 software update, but two less than indicated in the advance notice.
However, with 14 bulletins addressing nearly 40 individual vulnerabilities, the security update is nearly double the usual size and is bound to keep business IT systems administrators busy.
The release of MS14-068 and MS14-075 was delayed, but Microsoft gave no new release date, saying it was still to be determined.
Manager of security research at Tripwire Tyler Reguly said it is not uncommon for a bad patch to be pulled during the quality-assurance process.
“It is, however, odd for the numbering to remain untouched," he said. "This means we'll likely see both of these bulletins released in December 2014 and they will be out of order from the other bulletins."
Microsoft held back MS14-068, one of the critical Windows vulnerabilities, because it showed some last-minute stability problems, according to the chief technology officer at security firm Qualys, Wolfgang Kandek.
“It is a privately disclosed vulnerability so this should not have a major effect on a company's security situation, but we know we will get at least one critical Windows patch in December,” he said.
More on Microsoft security
Of those published, Kandek believes the most important is MS14-064, which addresses a current zero-day vulnerability – CVE-2014-6352 – in the Windows object linking and embedding (OLE) packager for Vista and newer versions of the Windows operating system.
“Attackers have been abusing the vulnerability to gain code execution by sending PowerPoint files to their targets,” he said.
Previously, Microsoft acknowledged the vulnerability in security advisory KB3010060 and offered a workaround using the Enhanced Mitigation Experience Toolkit (EMET) and a temporary patch in the form of a fix-it solution.
“This is the final fix for the OLE packager that should address all known exploit vectors and is highly recommended as the top patch,” said Kandek.
MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could be used to gain control over a targeted machine.
Malicious web page attacks
Kandek said an attack will take the form of a malicious web page that the targeted user has to browse to.
“There are two basic scenarios that attackers use frequently,” he said.
In the first, the user browses to the site by their own volition, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.
For example, the recent vulnerability (CVE-2014-3704) in the Drupal content management system that exposed more than 12 million sites to this type of situation.
Using the vulnerability, an attacker has complete control over the site and can plant malicious pages on an otherwise innocent site.
Wolfgang Kandekchief technology officer, Qualys
“A second scenario has the attacker set up a new site and then direct traffic to it through search engine manipulations, such as sites purporting to have the latest pictures on a recent event of general or specific interest,” said Kandek.
MS14-066 is the second-most important patch, he said, noting users of Internet Explorer 10 or 11 will also be getting an automatic Adobe Flash update in November 2014.
“Users of older Internet Explorer browsers need to download their own update,” said Kandek.
Next, he said businesses should pay attention to MS14-069, which concerns Microsoft Word 2007 and provides fixes for a remote code execution (RCE) vulnerability.
“The attack scenario here is a malicious document the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate-sounding file names and content descriptions that are likely to interest the targets in question,” said Kandek.
“If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 should place high priority on this bulletin,” he said.
MS14-066 addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which is used in secure sockets layer (SSL) and transport layer security (TLS) connections.
Internal code review
The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles.
“The vulnerabilities are private as they were found by Microsoft internally and, while Microsoft considers it technically challenging to code an exploit, it is only a matter of time and resources, and it is prudent to install this bulletin in your next patch cycle,” said Kandek.
The remaining bulletins address a mix of different operating systems and platforms, and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in internet information services (IIS).
Kandek describes MS14-078 as “curious” because it fixes a vulnerability (CVE-2014-4077) problem in a Windows component for Japanese input.
The vulnerability has to be used in conjunction with another to get RCE, but it has been attacked in the wild.
“Attackers send Adobe PDF documents that contain a special malformatted dictionary that can trigger the input method editor (IME) exploit,” said Kandek.
“If your Adobe Reader is on the latest update set, or if you use another PDF rendering program you are not affected by the vulnerability,” he said.