IE, Schannel Bulletins Re-Released With Patch Tuesday Updates

Microsoft released seven security bulletins, three of them rated critical, as part of its December 2014 Patch Tuesday updates. It also re-released November updates for IE and SChannel

Microsoft exits 2014 the way it came in to the year, with a relatively quiet set of Patch Tuesday security bulletins.

As promised last week, Microsoft released seven bulletins today, three of them rated critical, meaning the chance of exploit and remote code execution is high.

Microsoft also re-released two bulletins today: MS14-065, a cumulative IE update from November and MS14-066, the patch for a vulnerability in Schannel, a technology used in Windows to implement SSL and TLS for secure communication.

The IE update released last month was causing a number of issues, including crashes in certain circumstances, websites or error messages not displaying properly in certain versions of IE, as well as other functionality issues. Issues with the Schannel original patch, released in November, cropped up early and users reported issues with failed TLS negotiations. The problem applied to TLS 1.2 in particular where processes would become unresponsive; Microsoft recommended at the time that users disable support for some of the cipher suites added in the patch.

Today’s new bulletins include another cumulative update for Internet Explorer, MS14-080 which patches 14 memory corruption and ASLR bypass vulnerabilities in the browser. The update is rated critical by Microsoft for IE 6-11 on the client side, and is rated moderate for IE6-11 on Windows servers.

“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by preventing the XSS filter in Internet Explorer from incorrectly disabling HTML attributes, by helping to ensure that affected versions of Internet Explorer properly implement the ASLR security feature, and by modifying how the VBScript scripting engine handles objects in memory,” Microsoft said in its advisory.

Microsoft also issued an Exchange patch that was originally slated for release in November, but was held back to this month. MS14-075 is rated important by Microsoft and handles four vulnerabilities in Exchange Server 2007, 2010 and 2013. Three of the vulnerabilities are in Outlook Web Access (token spoofing and cross-site scripting flaws), while the remaining flaw is a URL redirection vulnerability in Exchange Server.

Microsoft patched a pair of Office vulnerabilities in MS14-081, all rated critical. The two bugs, in Word and Office Web apps, could allow remote code execution if a malicious Office file is opened. Microsoft said affected products include: Microsoft Word 2007; Microsoft Office 2010; Microsoft Word 2010; Microsoft Word 2013; Microsoft Word 2013 RT; Microsoft Office for Mac 2011; Microsoft Word Viewer; Microsoft Office Compatibility Pack; and for affected Microsoft Office services and Web Apps on supported editions of Microsoft SharePoint Server 2010; Microsoft SharePoint Server 2013; and Microsoft Office Web Apps Server 2013.

The final critical bulletin, MS14-084, addresses a remote code execution vulnerability in the VBScript Scripting Engine in Windows. The same vulnerability is present on Windows servers, but Microsoft has rated the flaw moderate for server software.

A user visiting a malicious website via Internet Explorer could trigger the vulnerability, Microsoft said.

“An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said in its advisory. “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability.”

The three remaining vulnerabilities were all rated important by Microsoft:

  • MS14-085: an information disclosure vulnerability in the Microsoft Graphics Component in Windows
  • MS14-082: a remote code execution use-after free vulnerability in Microsoft Office affecting Office 2007, 2010, 2013 and 2013 RT. This one is rated important because it cannot be exploited automatically by simply reading an email, Microsoft said.
  • MS14-083: patches two remote code execution vulnerabilities in Microsoft Excel. One of the flaws is a global free remote code execution bug, and the other is an Excel invalid pointer remote code execution flaw. Both require the user to open an infected attachment or click on a link.

Suggested articles