Microsoft patches Windows, IE; holds back two updates

The most serious vulnerability could allow an attacker to gain control of a Windows Server just by sending packets. For undisclosed reasons, Microsoft withheld two updates scheduled for release.
Written by Larry Seltzer, Contributor

Microsoft today released 14 security updates to address 33 vulnerabilities in Windows, Internet Explorer and Office. Two updates scheduled for release today (MS14-068 and MS14-075) were withheld and their release date is yet to be determined.

The most severe of the vulnerabilities may be MS14-066 which could allow remote, unauthenticated compromise of Windows servers.

Two of the vulnerabilities are being exploited in the wild. For one of them, Microsoft had previously released a "Fix it" to block the known attacks.

  • MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) — Two vulnerabilities could allow system exploit through an OLE client such as PowerPoint. One is being exploited in the wild and the one for which Microsoft provided a Fix it. That Fix it only addresses specific attacks, whereas this update fixes the underlying vulnerability. See the Microsoft KB page for a link to remove the Fix it.
  • MS14-065: Cumulative Security Update for Internet Explorer (3003057) — This update fixes 17 vulnerabilities in Internet Explorer. Many are rated critical and all versions of IE are affected. Internet Explorer 11, the most current version, has six vulnerabilities rated critical. Microsoft also says that working exploit code is possible for nearly all of the 17.
  • MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) — This is a highly-severe vulnerability which could allow an attacker to execute code on a Windows Server in a highly-privileged context just by sending specially-crafted packets to it. Microsoft lists no mitigating factors.
  • MS14-067: Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) — A malicious web site could compromise a client through Internet Explorer.
  • MS14-069: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) — Word 2007 SP3, the Word Viewer and Office Compatibility Pack Service Pack 3 can all be exploited through specially-crafted files.
  • MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) — An attacker can gain elevated privilege through a flaw in the Windows TCP/IP client (IPv4 or IPv6).
  • MS14-071: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) — This vulnerability would need to be used along with another in order to be exploited.
  • MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) — An attacker could gain elevated privilege by sending specially-crafted data to a client or server that uses .NET Remoting. All versions of Windows are affected.
  • MS14-073: Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431) — An authenticated attacker could run arbitrary script at server privileges on Microsoft SharePoint Foundation 2010 Service Pack 2.
  • MS14-074: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) — An RDP (Remote Desktop Protocol) system could be induced not to log events properly, but Microsoft considers working exploit code unlikely.
  • MS14-076: Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) — A user could bypass IIS restrictions on users and IP addresses. Microsoft considers working exploit code unlikely.
  • MS14-077: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) — If a user leaves a browser open after logging out of an application, another user could reopen the application in the browser immediately after the first user logged off. Microsoft considers a working exploit unlikely.
  • MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (3005210) — Sandbox escape is possible on the IME (Input Method Editor) (Japanese). This attack is being exploited in the wild.
  • MS14-079: Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885) — If a user used Windows Explorer to browse a network share that contained a specially-crafted TryeType font, the system could become unresponsive.

Users of Microsoft's EMET (Enhanced Mitigation Experience Toolkit), a tool for hardening applications against attack, should upgrade the tool to the new version 5.1 before applying today's Internet Explorer updates. Microsoft has said that the updates cause problems for users of version 5.0 of EMET.

The MS14-066 update also includes support for new SSL/TLS cipher suites. The new suites "...all operate in Galois/counter mode (GCM), and two of them offer perfect forward secrecy (PFS) by using DHE key exchange together with RSA authentication."

Microsoft also released a new version of Flash Player integrated into Internet Explorer 10 and 11 to address vulnerabilities disclosed today by Adobe.

The new version of the Windows Malicious Software Removal Tool (KB890830) removes malware from the Win32/Tofsee and Win32/Zoxpng families, according to a blog from the Microsoft Malware Protection Center.

Microsoft also released several non-security updates. Based on prior experience. the links to these will become live through the course of the day Tuesday.

Editorial standards