Microsoft Patches OLE Zero Day, Recommends EMET 5.1 Before Applying IE Patches

Microsoft patched a zero-day vulnerability in OLE being used in targeted attacks as part of its November 2014 Patch Tuesday security bulletins, one of four critical updates released today.

A busy Microsoft Patch Tuesday arrived today with an extra sense of urgency and a complication.

Among 14 bulletins, four of which are rated critical by Microsoft, is a patch for the OLE zero-day vulnerability being used in a number of targeted attacks. The zero-day is being spread via email messages containing malicious Office file attachments. The disclosure, the second against OLE since Oct. 14, was partially addressed when Microsoft issued a FixIt tool as a temporary mitigation.

The OLE vulnerability affected all supported releases of Windows and allowed attackers to remotely control infected computers and execute code. The announcement followed a report by iSIGHT Partners revealing that the Sandworm APT group was exploiting another hole in OLE to attack government agencies and energy utilities.

OLE, or Microsoft Windows Object Linking and Embedding, allows for embedding and linking to documents and other objects.

MS14-064 addresses both vulnerabilities in question, CVE-2014-6332 and CVE-2014-6352. The first CVE occurs when Internet Explorer improperly access objects in memory, Microsoft said. The second patch modifies the way Windows validates the use of memory when OLE objects are accessed, Microsoft said.

The use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) was also recommended as a temporary stopgap. Microsoft on Monday released EMET 5.1, and updated a number of the mitigations available, including the resolution of a race condition in the Mandatory ASLR mitigation and the hardening of several other mitigations against reported bypasses.

The most important updates, however, have to do with compatibility with a number of ubiquitous applications, including Internet Explorer, Adobe Reader and Flash, and Mozilla Firefox.

In fact, Microsoft recommends that EMET 5.0 users upgrade to 5.1 immediately before proceeding with the application of today’s patches.

“If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation,” Microsoft said in an advisory. “Alternatively, you can temporarily disable EAF+ on EMET 5.0.”

As is becoming the norm, Microsoft also released a cumulative update for IE. Today’s bulletin, MS14-065, patches 17 vulnerabilities, many of which allow remote code execution. The update is rated critical going back to IE 6.

“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by adding additional permission validations to Internet Explorer, and by helping to ensure that affected versions of Internet Explorer properly implement the ASLR security feature,” Microsoft said.

Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections. MS14-066 patches an issue in the way Schannel processes specially crafted packets, Microsoft said.

“The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles,” said Qualys CTO Wolfgang Kandek. “The vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit it is only a matter of time and resources, it is prudent to install this bulletin in your next patch cycle.”

MS14-067 is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE, Microsoft said. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution, Microsoft said.

One bulletin rated important by Microsoft is MS14-069, which patches vulnerabilities in Microsoft Word 2007 and allows for remote code execution. Because it’s limited to Office 2007 and cannot be automatically exploited remotely and requires user action, Microsoft rated it important.

“The attack scenario here is a malicious document that the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that are likely interest the targets in question,” Kandek said. “If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 should place high priority on this bulletin.”

The remaining bulletins are all rated important by Microsoft:

  • MS14-070 is an elevation of privilege vulnerability in TCP/IP
  • MS14-071 is an elevation of privilege vulnerability in Windows Audio Service
  • MS14-072 is an elevation of privilege vulnerability in the .NET framework
  • MS14-073 is an elevation of privilege vulnerability in SharePoint Foundation
  • MS14-074 is a security feature bypass in Remote Desktop Protocol
  • MS14-076 is a security feature bypass in Internet Information Services
  • MS14-077 is an information disclosure vulnerability in Active Directory Federation Services
  • MS14-078 is an elevation of privilege vulnerability in IME (Japanese)

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.