Congratulations for making it to the last Patch Tuesday in 2014. The congrats part is directed toward you because it was a year of Microsoft cluster-flubbed fixes for flaws, whether that was due to shoddy QA processes or Microsoft botched it elsewhere. Let’s hope Microsoft’s 2015 patches don’t prove to be as problematic or as frustrating for admins. For December, there are seven security updates; the three critical security patches are all to close remote code execution (RCE) holes in all supported versions of Microsoft Windows—including the Technical Previews—all supported Internet Explorer versions, and Office for Word 2007, 2010, 2013 and even Word 2011 for Mac OS X.
Last month, Microsoft delayed MS14-068, before later releasing the patch for the critical Kerbos vulnerability, as well as the Exchange patch MS14-075. Of the latter, the Exchange Team said the November patch exhibited unacceptable behavior and the patch would be delayed until December.
3 Critical patches to plug remote code execution holes
MS14-080 resolves 14 privately reported vulnerabilities in Internet Explorer. It is rated critical for Microsoft Windows and Internet Explorer; definitely plan on a restart for this one. The security update is critical for IE 7 through IE 11 running on Vista, Windows 7, Windows 8 and 8.1, but rated as moderate for IE 6, IE 7 and IE 8 on Windows Server 2003 and Windows Server 2008. There has been a steady release of critical fixes for IE. Shavlik product manager Chris Goettl said that patching critical IE holes "is going to become a Critical monthly occurrence."
MS14-081 fixes two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. It is rated critical for Microsoft Office, fixing a RCE flaw in Word 2007 SP3, Word 2010 SP2, Word 2013, Word 2013 RT, Word 2011 for Microsoft Office on Mac, Microsoft Office Compatibility Pack and Microsoft Word Viewer. Microsoft added that it is also critical "for affected Microsoft Office services and Web Apps on supported editions of Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, and Microsoft Office Web Apps Server 2013."
The fix for “Microsoft Word is particularly interesting,” said Qualys CTO Wolfgang Kandek via email. “It is rated critical by Microsoft, which normally does not happen when normal file based vulnerabilities are being addressed. A critical rating is only given if the vulnerability can be triggered without user interaction, which happens fairly rarely, typically when the Outlook preview can be tricked to run the malicious code automatically.”
MS14-084 provides the fix for one privately reported, critical RCE vulnerability in the VBScript scripting engine in Microsoft Windows. Microsoft noted, “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
4 patches rated as important
MS14-075, the patch deemed to have unacceptable behavior and was delayed in November, has been dusted off and made acceptable. It is rated important due to an elevation of privilege hole in Microsoft Exchange Server 2007 (SP3), 2010 (SP3), and 2013 (Cumulative Update 6).
Both MS14-082 and MS14-083 are rated as important fixes due to RCE flaws. MS14-082 resolves one privately reported hole in Microsoft Office. MS14-083 patches two privately reported vulnerabilities in Microsoft Excel.
MS14-085 is rated important for Windows due to the potential for information disclosure if a user browses to a website containing specially crafted JPEG content. The patch resolves a publicly disclosed vulnerability in Microsoft Graphics Component. Microsoft noted, “The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR).”
You might as well grab the new version of Adobe Reader and/or Acrobat as both versions 10 and 11 for Windows and Macintosh contain fixes for critical vulnerabilities.