October Patch Tuesday Round-Up
Microsoft had a rough month. Instead of the nine announced bulletins they released eight. Of those eight, three updates were plugging vulnerabilities that were being exploited in the wild. An additional Microsoft Security Advisory has caused some issues and was pulled from the downloads site. On the Non-Microsoft front, there were releases from Adobe, Google, and Oracle that should be on your high priority list. Oracle released their quarterly Critical Patch Update which included many high severity vulnerabilities in Java SE. Adobe Flash released which also caused Internet Explorer and Google Chrome to release an update to support the plug-in. Here is a priority breakdown for security updates this month and details on known issues:
Shavlik Priority 1 Updates (Priority 1 updates should be applied as soon as possible):
- MS14-056: Cumulative Security Update for Internet Explorer (2987107) - This update is rated as Critical by Microsoft and resolves fourteen privately reported vulnerabilities in Internet Explorer which could lead to Remote Code Execution. The vulnerabilities are all memory related exploits and the update is changing behavior of how IE handles objects in memory to resolve these vulnerabilities. One of the vulnerabilities resolved (CVE-2014-4123) has been exploited in wild as a sandbox escape.
- MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) - This update is rated as Critical by Microsoft and resolves three privately reported vulnerabilities in .NET Framework which could lead to Remote Code Execution. On .NET 4.0 iriParsing is disabled by default, but on .NET 4.5 this feature cannot be disabled. If you are running .NET 4.5 this is a higher priority.
- MS14-058: Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - This update resolves two privately reported vulnerabilities in Microsoft Windows which could lead to Remote Code Execution. Both of the vulnerabilities (CVE-2014-4148 and CVE-2014-4113) in this bulletin have been reported in targeted attacks in the wild. The vulnerabilities ideally could be used in concert, but the reported attacks were exploiting each in separate attacks.
- MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - This update is rated as Important and resolves one privately reported vulnerability in Microsoft Windows. Although only rated as Important, this update resolves a vulnerability (CVE-2014-4114) that has been detected in targeted attacks reported in the wild.
- APSB14-22: Security updates available for Adobe Flash Player - This update is rated as a Priority 1 by Adobe and resolves three vulnerabilities in Adobe Flash Player. Two of the vulnerabilities are memory corruption issues and the third is a integer overflow which could lead to Code Execution. In addition to the Flash Player update there is an IE Security Advisory and a Google Chrome update that need to be deployed to resolve the vulnerabilities in the Flash browser plug-in.
- MSAF-031: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - This advisory updates Internet Explorer to support the latest Adobe Flash Player Plug-In update. The Flash Player update is a Priority 1 update resolving three vulnerabilities.
- CHROME-114: Chrome 38.0.2125.104 - This is a High priority update from Google to update the Adobe Flash Player Plug-In. The Flash Player update is a Priority 1 update resolving three vulnerabilities.
- Java7-71: Java 7 Update 71 - This update is part of the Oracle Critical Patch Update release for Q4. The release resolves 25 vulnerabilities, 22 of which are exploitable over the network without authentication. Oracle has rated this update as Critical. It includes one vulnerability with a CVSS score of 10.0 and several other 9's.
Shavlik Priority 2 Updates (Priority 2 updates should be tested and rolled out in a reasonable time frame, typically within 10-30 days of release):
- MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) - This update resolves one publicly disclosed vulnerability and is rated as Important. The vulnerability is mitigated by XSS filters in IE 8, 9, 10, and 11 and workarounds are available to block ActiveX controls for Local Intranet Security Zones. A user would need to be convinced to view a specially crafted website or click a link in a email message or Instant Messenger message to be exploited.
- MS14-061: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) - This update resolves one privately reported vulnerability and is rated as Important. An attacker must convince a user to open an attachment or access a specially crafted website. If exploited the attacker would gain the same user rights as the current user. Limiting users to less than Administrator user rights can mitigate the exposure if exploited.
- MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - This update resolves a publicly disclosed vulnerability in Microsoft Windows and is rated as Important. The vulnerability is part of the Message Queuing component which is not installed by default. It must be enabled by a user with Administrator privileges. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Shavlik Priority 3 Updates (Priority 3 updates should be evaluated to determine potential risk to the environment and tested and rolled out in a reasonable time frame if applicable):
- MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) - This update resolves one privately reported vulnerability in Microsoft Windows which could lead to Elevation of Privilege. The attacker must have physical access to the system to be able to exploit the vulnerability.
- FF14-012: Firefox 33.0 - Mozilla released FireFox 33. This update does not include security fixes, just new features and bug fixes.
- MS14-A12: Security Advisory KB 2949927: Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 - The update has been pulled due to issues impacting systems after update. Some have had to be restored by CD-rom to resolve. If you have already deployed this Advisory you may need to roll it back.
For access to Shavlik’s Patch Tuesday webinar or presentation you can go to our webinars page and check out the ‘Recent Webinars’ section and click view. You can also sign up for the October Patch Tuesday webinar where we will discuss the Patch Tuesday release for all of the critical apps that affect you.