This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerability that was the result of an insufficient fix for CVE-2014-4114, the vulnerability that was exploited by Sandworm.
Next up is MS14-065, the monthly IE bulletin. This month it fixes a total of 17 CVEs in IE6 to IE11. All these bugs were privately reported to Microsoft, so they are not being actively exploited. As has been the case for the last while, the majority of the vulnerabilities are the results of use-after-free errors and exploitation can result in remote code execution.
MS14-066 covers a single CVE, CVE-2014-6321, in Microsoft’s Secure Channel security package in Windows, which provides security protocol support for applications. While it is covered by only a single CVE, there’s actually multiple vulnerabilities, ranging from buffer overflows to certificate validation bypasses.
Our final critical bulletin of the month is MS14-067 and also only covers a single CVE, CVE-2014-4118. This time in MSXML, where an invalid free can occur.
Next up are the eight important bulletins for a total of ten CVEs. Five of these CVEs can result in an escalation of privileges, three can result in remote code execution, while one allows for a bypass of security features and finally, there is one information disclosure:
The first important bulletin is MS14-069. It fixes three vulnerabilities in Microsoft office. All three can result in remote code execution if exploited. The three vulnerabilities are the result of a double free (CVE-2014-6333) and two out of bounds errors (CVE-2014-6334 and CVE-2014-6335).
Bulletin MS14-070 fixes a single publicly disclosed CVE (CVE-2014-4076) in Windows’s TCP/IP implementation, where a NULL-pointer dereference in tcpip.sys, can result in an elevation of privileges.
CVE-2014-6322 is addressed by MS14-071 and is the result of an attack where the Windows Audio Service will read symbolic links in the registry from a low integrity process, allowing the process to potentially escape the sandbox.
Next up is bulletin MS14-072, which once again fixes a single vulnerability. CVE-2014-4149 is a vulnerability in .NET that could allow for an elevation of privileges.
A cross site scripting vulnerability in Sharepoint (CVE-2014-4116) is fixed by MS14-073. The vulnerability can result in an escalation of privileges that can only be exploited by an authenticated user.
MS14-074 fixes a single security feature bypass (CVE-2014-6318) in the Windows Remote Desktop Protocol, where a valid user logon attempt would not be logged.
There’s also a vulnerability (CVE-2014-4078) in Microsoft’s Internet Information Services (IIS) that is resolved by MS14-076. The vulnerability can lead to a bypass of the “IP and domain restrictions” security feature and can occur when the Domain Name Restriction white- and blocklists contain entries with wildcards.
Our last important bulletin is MS14-077. It fixes an information disclosure vulnerability (CVE-2014-6331) in Active Directory Federation Services (ADFS).
That brings us to the last two bulletins for this month, which are rated moderate provide fixes for two CVEs:
CVE-2014-4077 is handled by MS14-078 and addresses vulnerability in Microsoft’s Japanese Input Method Editor that could result in an escalation of privileges for an attacker.
Finally, the last bulletin for the month is MS14-079, which fixes a single vulnerability (CVE-2014-6317) in Windows Kernel Mode Drivers that could result in a denial of service.
The following SIDs address these issues:
7070, 32186-32187, 32251-32259, 32313-32316, 32404-32423, 32426-32443, 32458-32461, 32470-32479, 32489-32492, 32489-32492, 32497-32500, 32518-21519
Related items: Cisco Legacy IPS