November Patch Day Round-Up
November Patch Tuesday was the biggest this year with 16 announced, but Microsoft only released 14 on Patch Tuesday and today we step up to 15 updates. As you may recall, two of the updates were not pulled from November, but marked as “Release date to be determined”. Well today is the day for MS14-068. Microsoft announced the Critical OS patch this morning. This update for Kerberos should make its way into your deployment plan if possible.
So if we run down the list of everything that will be touched this month when you patch, here is what will receive updates: All Windows OSs, All versions of IE, MSXML, .NET Framework, IIS (for specific OSs), RDP, Office, Sharepoint, AD Federation Services, and there is still the Exchange patch with a release date TBD. Aside from Microsoft there is the Adobe Flash update which resolved 18 vulnerabilities and there is an corresponding IE Advisory and Chrome release to update the Flash plugin.
Known issues to look out for:
- There is an issue with the IE Cumulative and EMET that you will want to watch out for and rising concerns over how bad the Schannel (MS14-066) update really is.
Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):
- MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - This update is rated Critical by Microsoft and resolves two privately reported vulnerabilities in Windows OLE. One of the vulnerabilities resolved has been exploited in the wild (CVE-2014-6352) with an exploit known as 'Sandworm'. The attack was targeted at NATO PC's through a specially crafted PowerPoint file.
- MS14-065: Cumulative Security Update for Internet Explorer (3003057) - This update is rated Critical by Microsoft and resolves 17 vulnerabilities in Internet Explorer. Many of the vulnerabilities resolved are memory related, continuing a trend we have been seeing since June of this year. So far there is at least one known issue with this update. If you are running IE11 and EMET on Windows 7 or 8.1, you will also need to update EMET to version 5.1 which released this month as well.
- MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) - This update is rated as Critical by Microsoft and resolves one vulnerability. The issues resolved are being compared to the Heartbleed OpenSSL vulnerability as far as severity of the issue. Although Microsoft has not received information to indicate this vulnerability has been publicly disclosed, the recommendation is to roll this update out ASAP. If a worm or mass botnet were developed to exploit this vulnerability the expected could be significant.
- MS14-067: Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) - This update is rated as Critical and resolves one privately reported vulnerability in XML Core Services. An attacker could create specially crafted web content to exploit this vulnerability allowing the execution of code on the system exposed.
- MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - This update has been rated as Critical by Microsoft. This update was postponed on Patch Tuesday, but was not pulled from the November release. Well, it released today. The vulnerability is in Kerberos and affects all Windows Operating Systems currently under support. It resolves one privately reported vulnerability in Kerberos KDC, which could allow Elevation of Privilege. The attacker must have a valid domain user account, but with that user account they can forge a Kerberos ticket that will allow them to claim they are a domain administrator. From there they can do pretty much what they want from creating accounts to installing software and deleting or changing data. They will have access to your network as a Domain Administrator. The update should be worked into your deployment plan this month as the vulnerabilities resolved are severe enough to warrant some urgency.
- APSB14-24: Security updates available for Adobe Flash Player - This update is a Priority 1 update from Adobe resolving 18 vulnerabilities across many types of attack vectors. You will have OS and browser updates to completely resolve these vulnerabilities. This is for Flash on the OS.
- MSAF-032: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - This Advisory is not rated by Microsoft, but following the Adobe rating of Priority 1, this update is recommend to push as soon as possible. This update resolve allows Internet Explorer to run the latest Adobe Flash release resolving the 18 vulnerabilities.
- CHROME-116: Chrome 38.0.2125.122 - This update is not rated by Google as it resolves no known vulnerabilities in Chrome. This update does provide support for the Adobe Flash release. Again the severity here should be based on the Priority 1 that Adobe has set and should be rolled out as soon as possible to ensure all parts of Flash are updated preventing any exposure to these risks.
Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):
- MS14-069: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) - This update is rated as important and resolves three privately reported vulnerabilities in Microsoft Office. An attacker could create specially crafted content to exploit these vulnerabilities allowing them to execute remote code.
- MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - This update is rated as Important and resolves one privately reported vulnerability in Windows Server 2003 which could allow an attacker to exploit a vulnerability in TCPIP, which could lead to an Elevation of Privilege attack.
- MS14-071: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) - This update is rated as important and resolves one privately reported vulnerability in Windows Audio Service, which could allow Elevation of Privilege.
- MS14-072: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) - This update is rated as Important and resolves one privately reported vulnerability in .NET Framework which could allow Elevation of Privilege.
- MS14-073: Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431) - This update is rated as Important and resolves one privately reported vulnerability in SharePoint Foundation, which could allow Elevation of Privilege.
- MS14-074: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) - This update resolves one privately reported vulnerability in Remote Desktop Protocol, which could allow Security Feature Bypass.
- MS14-075: “Release date to be determined”. Likely before December Patch Tuesday if MS14-068's release today is any indication.
- MS14-076: Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) - This update resolves a privately reported vulnerability in Internet Information Services, which could allow Security Feature Bypass.
- MS14-077: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) - This update resolves one privately reported vulnerability in Active Directory Federation Services, which could allow Information Disclosure.
Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):
- MS14-078: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (3005210) - This update resolves one privately reported vulnerability in IME Japanese, which could allow for Elevation of Privilege. The mitigating circumstances reduces the potential risk extensively, but this was discovered in the wild, so it has been publicly disclosed.
- MS14-079: Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885) - This update resolves one privately reported vulnerability in Kernel Mode Driver, which could allow a Denial of Service attack. The steps to exploit this vulnerability would require the attacker to put specially crafted TrueType font on a network share and require a user to navigate to it and open to exploit. Chances are the attacker would find easier ways to exploit an environment so this is less likely to occur.