November Patch Tuesday: A massive update with a few misses

security lock code
Credit: Yuri Samoilov

This is a massive update for Microsoft Patch Tuesday with 16 patches released for November 2014. Generally, November is a quiet month, with an average five or six security updates over the past 10 years. We have seen a general increase in the number of patches overall, but nothing like the 16 updates delivered by Microsoft for this month. In addition, Microsoft has held back two patches (MS14-068 and MS14-075) with an unscheduled publishing date at the time of writing.

MS14-064 -- Critical

MS14-064 attempts to resolve two privately reported and one publicly reported vulnerability in Microsoft's Object Linking and Embedding (OLE) technology that could result in a remote code execution scenario if a user visits a specially crafted web page. This update affects how OLE and Internet Explorer (IE) handle objects in memory and affects all supported versions of Microsoft Windows. This patch attempts to resolve two separate issues, one of which was reported at the end of October and was published as Microsoft Security Advisory 3010060. This is definitely a "patch now" update from Microsoft.

MS14-065 -- Critical

MS14-065 continues Microsoft's internal memory management security program with another batch of updates to Microsoft Internet Explorer (IE). This patch, rated as critical by Microsoft, addresses 17 privately reported security issues, the most severe of which could lead to a remote code execution scenario. In addition, this update attempts to fix a further 12 non-security related issues in IE which have been detailed in the Microsoft knowledge base article  KB3003057. As in past updates to IE, it looks like there has been a complete recompile and the patch manifest for this update includes a change to all Internet Explorer's  distribution files. 

MS14-066 -- Critical

MS14-066 is rated as critical and addresses a privately reported security vulnerability in Microsoft's Schannel security technology that could lead to a remote code execution scenario. Schannel is a security package included as part of the Microsoft Component Object Model (COM) used by Microsoft developers to ensure secure communications between a server and a client, particularly when anonymous clients need to connect to a server as in an on-line e-commerce solution.

MS14-067 -- Critical

The Microsoft security update MS14-067 is rated as critical by Microsoft for Windows desktop platforms and as important for affected server platforms. This vulnerability in Microsoft XML (MSXML) that if exploited through a user visiting a specially crafted website could result in a remote code execution security scenario. This Microsoft security patch updates two core MSXML DLL files (MSXML3.DLL and MSXML3R.DLL). These files were released initially with Windows 2000 and updated until 2005. Unless you are stuck using IE6 then it is highly unlikely that you are still using this particular version of MSXML. In fact, these particular DLL files experience real backward compatibility issues and date back to the "wild west" of the XML days. I would definitely check your application dependencies prior to deploying this update. Not that it will likely break newer or modern applications, but may cause an application compatibility issue with legacy applications. This is a patch now update, with a check for internally developed legacy applications before full deployment.

MS14-069 -- Important

The Microsoft Office patch MS14-069 resolves three privately reported vulnerabilities that could lead to a remote code execution scenario that only affects Office 2007 Service Pack 3, the Word Viewer utility and the Microsoft Office Compatibility Pack Service Pack 3. At present, Microsoft does not believe that this Office related vulnerability has been exploited in the wild. 

MS14-070 -- Important

MS14-070 attempts to resolve a single publicly reported vulnerability in the TCP/IP networking component during device driver-level input and output process (IOCTL) that could lead to elevation of privilege issues. This update only affects Windows Server 2003 SP2 platforms. If you have migrated onto more modern Microsoft server platforms, you don't need to worry about this update.

MS14-071 -- Important

The Microsoft update MS14-071 has been rated as important for this Patch Tuesday and relates to a single privately reported issue that may lead to an elevation of privilege security issue in the Windows Audio Service. This update impacts all currently supported versions of Windows desktop and server platforms (32, 64-bit and RT versions).

MS14-072 -- Important

The patch MS14-072 has been rated as important and attempts to resolves a single reported vulnerability in the Microsoft .NET framework that could lead to an elevation of privilege scenario. This update appears to affect all versions of the .NET framework including the slightly smaller redistributable .NET Framework Client Profile.

MS14-073 -- Important

MS14-073 attempts to address a single privately reported vulnerability in the SharePoint Server 2010 Foundation technology layer. This update only affects server platforms and could lead to an elevation of privilege scenario. 

MS14-074 -- Important

MS14-074 addresses a privately reported vulnerability in the Microsoft Remote Desktop Protocol (RDP) that could lead to a security bypass scenario where failed logon attempts are not correctly logged. This update is applicable for all currently supported Microsoft desktop and server platforms.

MS14-076 -- Important

MS14-076 resolves a privately reported security issue with Microsoft Internet Information Server (IIS) that could lead to a security bypass scenario in the "IP and Domain Restrictions" feature.

MS14-077 -- Important

MS14-077 is rated as important and relates to a privately reported vulnerability in Microsoft Active Directory Federation Services which if un-patched could lead to a information disclosure scenario if the logged in user leaves their browser window open after logging off from an application. This update only affects Microsoft Server 2008 and 2012.

Microsoft has saved the most interesting updates for last. 

MS14-078 -- Moderate

The update MS14-078 addresses is rated as moderate by Microsoft and relates to an elevation of privilege security issues with the Microsoft Japanese Input Method Editor (IME). The IME has always been a problem for Microsoft, especially with the Japanese, Chinese and Korean markets. Microsoft Input Method Editor lets you convert a relatively simple QWERTY keyboard with 26 letter alphanumeric alphabet and then generate some of the 5000+ Katagana, Hiragana and Chinese Kanji characters. Given the relatively small attack vector for this vulnerability, and the fact that the most likely people to experience difficult trouble-shooting scenarios with this update will have "timezone issues" (Japan is UTC+9:00) I would do some testing prior to deployment of this unusual update. 

MS14-079 -- Moderate

The Microsoft update MS14-079 addresses a TrueType font index-array validation issue in a kernel-mode driver that could lead to a denial of service security exploit. This update replaces a number of previous updates (MS14-058) that have been linked to a number of installation problems and third party software compatibility issues. Given the lower priority for this November Patch Tuesday update, I might wait a little while before full-scale deployment.

Adobe

Microsoft has released a security advisory for Adobe Flash Player in IE for all supported versions of Windows 8 and Server 2012 (32/64-bit, RT and Server R2). This update relates to Adobe's security update APSB14-24 that resolves 18 publicly reported issues that could result in the attacker taking control of the affected system. This Adobe advisory affects all platforms that support Adobe plug-ins (Windows, Mac, Linux).

Apple

This month we also see Apple release a security update for QuickTime version 7.7.6. This update handles an encoding issue with specially crafted movies that may lead lead to "arbitrary code execution" scenarios. You can find the update here.

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.