A bumper harvest patch of updates for October

pumpkins halloween
Ben Long

This October Patch Tuesday brings a bumper harvest of updates from a number of vendors including Microsoft, Adobe, Apple, Oracle and Google. Of the Microsoft patches, three are rated as critical and six updates are rated as important.

MS14-056 -- Critical

The first update for this October Patch Tuesday is MS14-056 which is rated as critical by Microsoft, and attempts to resolve a remote code execution vulnerability in Microsoft Internet Explorer (IE). This Microsoft update resolves 14 privately reported issues which if exploited successfully would give an attacker the same permissions as the logged on user. Interestingly, this updated is rated as critical by Microsoft for all versions of IE (including 6, 7, 8, 9, 10 and 11) and moderate for all server based platforms.

As usual in the case of IE updates, the Microsoft Server Core platform is not affected as it does not include Internet Explorer.

This update is different from past IE updates. The last few IE patch cycles was made up of a number of coding hygiene updates that resolved internal memory corruption issues. However, this release also includes three other security updates, one of which addresses a publicly exploited vulnerability.

This is definitely a patch now update from Microsoft.

MS14-057 -- Critical

The second update rated as critical by Microsoft is MS14-057 and relates to three privately reported vulnerabilities in the Microsoft .NET Framework. This vulnerability could lead to a remote code execution scenario if an attacker sends a specially crafted URL request to a .NET web application. In addition, the ClickOnce installation process and a component of the  ASLR security feature has been updated.

This update affects all supported versions of the .NET framework including version 2.0, 3.5, 4.0, 4.5/4.5.1/4.5.2. If you are particularly worried about the URL handling vulnerability, Microsoft has provided a work-around by adding the following setting to your application's app.config file: iriParsing enabled="false". Unfortunately, this may cause your application to improperly handle international resource identifiers. This .NET security patch updates files DFDLL.DLL and the .NET component System.Deployment.dll (which includes the Microsoft Application Deployment Shell support files).

Though no update is risk free, it looks like the testing surface and therefore the testing cycle are not very large for this update. Include this patch in your normal update cycle.

MS14-058 -- Critical

The final update (MS14-058) rated as critical from Microsoft resolves two privately reported vulnerabilities in Windows that could lead to a remote code execution scenario. Microsoft believes that both of these security issues have been exploited in the wild and these issues relate to all versions of Windows (including 32-bit, 64-bit and RT versions).

The first vulnerability relates to an elevation of privilege (EoP) issue in the core system file Win32k.sys. If you wanted to pick the one file that matters most to the Windows operating system, Win32k.sys is a good candidate. Updating this file should be done with great care. In addition to the lower level of security exposure (EoP) and the fact that valid user logon credentials are required on the target machine, this particular security issue does not fill me with unmitigated dread. Updating this file does.

The second vulnerability relates to how the Windows kernel-mode driver handles TrueType fonts. There is a pretty rigorous and straight-forward work-around available for this issue: use the CACLS command to deny access to the t2embed.dll file. This update replaces MS14-015 which was published in March and the last time that Microsoft updated the kernel mode drivers (MS14-045) a large number of users experienced the dreaded "Blue Screens of Death" (BSoD) stop error 0x50. Microsoft eventually advised users to un-install  MS14-045 due to all of the reported issues. This is a critical patch from Microsoft and has to be treated as a priority, but given that one of the issues can be securely mitigated and that there been significant issues in the past with these kinds of changes to the Windows kernel, I would recommend a significant testing process.

This patch is a good candidate for an "IT department first" update.

MS14-059 -- Important

The first update rated as important for this October Patch Tuesday is  MS14-059 which relates to a security bypass security vulnerability in Microsoft's agile web developer tool ASP.NET MVC (Model View Control). This security issue relates to a cross-site scripting ( XSS) issue that could allow an attacker to inject code into the user's web browser session. There is an XSS security filter in Microsoft IE version 8, 9, 10 and 11 that prevent this kind of issue, but this filter is not enabled by default in the local Intranet Zone. Include this update in your normal patch cycle.

MS14-060 -- Important

MS14-060 addresses a single privately reported vulnerability in Windows that could lead to a remote code execution scenario when a user opens a Microsoft Office file containing a specially crafted OLE object. Include this update in your normal patch cycle.

MS14-061 -- Important

MS14-061 addresses a single reported vulnerability in Microsoft Office which may lead to a remote code execution scenario if an attacker can convince the user to open a specially crafted Microsoft Word file. Include this update in your normal patch cycle.

MS14-062 -- Important

The update  MS14-062 address a single publicly disclosed vulnerability in the  Windows Message Queue Service which may lead to an attacker gaining the same privileges as the logged on user. The testing profile of this update will likely depend on internally developed applications and will likely include a heavy dependency on your Active Directory or workgroup configuration. Involve your application business owners before you deploy this update.

MS14-063 -- Important

The last patch for this October Patch Tuesday cycle from Microsoft is  MS14-063 which resolves a single privately reported vulnerability in the FAT32 disk partition (FASTFAT) driver that could lead to an elevation of privilege scenario. This update only affects Windows Server 2003, Windows Vista and Windows Server 2008. Unfortunately, this patch may require some additional testing due to a history of BSoD errors relating to this particular Windows driver and difficult troubleshooting scenarios. Often errors relating to bad RAM modules are misdiagnosed as a FASTFAT driver issue as documented in the Microsoft support knowledge base article  KB810091. Unless there is particularly critical system that requires an immediate update (a legacy Windows Server 2003 system?), a decent testing regime before deploying this update is recommended.

Oracle -- Critical

Oracle produces quarterly security updates and for this month the  Oracle October Critical Patch Update is synchronized with Microsoft's Patch Tuesday. Oracle labels this process as their Critical Patch Update process and this month's update includes 154 different security fixes for vulnerabilities across 45 Oracle software products. There is a blog entry that summarize these issues and corresponding fixes  here.

Adobe -- Important, Critical

This month, Adobe has released security hotfixes for ColdFusion versions 9.x, 10x and 11, affecting all supported platforms. The Adobe ColdFusion security fixes have been rated by Adobe as important. These fixes address IP access control and cross-site scripting (XSS) security and cross-site request forgery vulnerabilities. In addition, Adobe has released security updates for Flash Player on Windows, Macintosh and Linux systems. The Flash Player update is rated as critical on Windows system with a lesser rating on the Macintosh and Linux systems. You can find the ColdFusion update  APSB 14-23 and  APSB 14-22 on the Adobe security center.

Google Chrome

Google Chrome has released a number of security updates for multiple vulnerabilities in the Chrome OS and the Chrome web browser. This month Google has released updates for Windows, Mac, Linux, iPhone and the iPad. Follow the Google Security blog for the  October Google Stable Channel Update,  Chrome for iOS Update, and the  Stable Channel Update for Chrome OS .   

In addition to all the other updates this month, Apple has released an OS X update that attempts to resolve some of the security vulnerabilities exposed by the latest BASH security issues, which can be found here:  HT6495 and here  TA14-268A.

As always, all Microsoft updates require system restarts.

Copyright © 2014 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon