With this December Patch Tuesday, we see a smaller number of patches than expected, with three updates rated as critical and four patches that Microsoft has rated as important. This month, we also see the much delayed Microsoft Exchange update (MS14-075) released as part of the December cycle. Historically speaking, this month is a light release as in the past we have seen up to 14 patches released by Microsoft for December (see Patch Tuesday December 2010). In addition to the December releases, Microsoft has also updated two patches from the November cohort. MS14-65 was updated to address a memory corruption vulnerability in Internet Explorer that could have led to a denial of service scenario. MS14-066 was also updated to resolve a problem with the patch that affected Windows Vista and Server 2003 users. In addition to these Microsoft patches, there is a critical update from Adobe for Flash Player that is probably the most important update to deploy this month.
MS14-075 -- Important
This first update for December (and one of the last for November) that has been rated as important by Microsoft is MS14-075. This Microsoft Exchange update resolves four privately reported security vulnerabilities of which the most severe could lead to an elevation of privilege scenario if a user clicks a link on specially crafted website using the Microsoft Outlook web client. Effectively, this particular vulnerability is a type of Cross-Site Scripting vulnerability (also known as XSS) that occurs when Microsoft Exchange does not validate user input correctly. This update affects Microsoft Exchange versions from 2007 up to Exchange Server 2013 Cumulative Update 6 on both 32 and 64-bit platforms.
MS14-080 -- Critical
The second update is MS14-080 which relates to 14 privately reported vulnerabilities in Microsoft Internet Explorer (IE). This patch for IE is rated as critical for desktop versions 9-11 and is rated as important for versions 9-11 on Microsoft server platforms. This update looks like a replacement and enhancement to last month's (November) update MS14-065, with the addition of an XSS filter and an update to the Microsoft VBScript scripting engine. Please note that for systems running earlier versions of IE (versions 6, 7 and 8) a separate patch (MS14-084) has been released by Microsoft. Given the nature of the XSS, VBScript and ASLR vulnerabilities addressed by this update, deploying this update should be a priority.
MS14-081 -- Critical
The second update rated as critical by Microsoft is MS14-081 and it relates to two privately reported vulnerabilities in the desktop version of Microsoft Word and the cloud-based Microsoft Office Web Apps service. A successful attacker would have to persuade a user to click on a specially crafted word file, and if successful would enable a remote code execution security scenario with the attacker gaining the same rights as the logged in user.
MS14-084 -- Critical
The final update rated as critical by Microsoft is MS14-084 which relates to a remote code execution vulnerability in the Microsoft VBScript scripting engine. This update affects Microsoft's older systems such as Vista, Windows 7, Server 2003 and 2008. This makes sense as the VBScript scripting engine has largely been deprecated and replaced by the Microsoft PowerShell command line automation and configuration framework. This vulnerability could be exploited through either a specially crafted web page or through a similarly malign Microsoft Office document resulting in the attacker obtaining the same privileges as the logged on user.
MS14-82 -- Important
The first patch rated as important for this patch Tuesday also relates to Microsoft Word and if successfully exploited could also lead to a remote code execution scenario with the attacker gaining the same privileges as the logged on user. This Microsoft update addresses a memory corruption and security (ASLR) issue in one of the most commonly used controls MSCOMCTL.DLL (Microsoft Common Control) which has shipped with Office and Visual Basic for the past fifteen years. This DLL used to be implicated in multiple application level conflicts, so-called DLL Hell. Interestingly, the update refers to a Microsoft KB article ( KB2596927 ) which updates a core component of MSCOMCTL, the DLL file FM20.DLL. This file contains all the libraries for version 2 of Microsoft Forms and once updated may cause some Visual Basic or legacy Word applications to execute with some unexpected behaviors. You may want to test your aging, legacy applications first before deploying this Microsoft update.
MS14-083 -- Important
The penultimate update for December is MS14-083 which again deals with a remote code execution scenario in another Microsoft Office component; Excel. This update is rated as important and affects all versions of Excel (2007, 2010, and 2013) including the Microsoft RT platform. This is another memory corruption vulnerability that if successfully exploited allows an attacker to have the same security privileges as the logged on user. At the time of writing, Microsoft has not published any workarounds for this vulnerability.
MS14-085 -- Important
The final update for this December Patch Tuesday is MS14-085 which has been rated as important due to an information disclosure vulnerability with the Microsoft Graphics component. Due to a weakness in the GDIPlus.DLL (commonly referred to as GDI+) and Windowscodec.dll graphics processing implementations, a specially crafted JPEG image file could allow an attacker to gain useful information about the target system. This is a concern, as this information could then be used as part of a further, more damaging attack on the vulnerable system. The files GDI.DLL and GDIPlus.DLL are core components of the Windows system. These files were introduced in Windows XP and Server 2003 and have been updated many times before including the controversial update MS12-034. You may want to wait for a week prior to deploying this patch due to the reduced severity of the vulnerability and the risk of updating a core system component.
Adobe
APSB14-27 -- Critical
Adobe has released an update for Flash player (APSB14-27) that resolves six reported vulnerabilities that affect Flash Player for Windows, Mac and Linux systems. All these vulnerabilities relate to exploits that could allow an attack to execute remote code on the compromised system. Of all the updates released this month, this is probably the most important update to deploy.
APSB14-28 -- Critical
The Adobe update APSB14-28 attempts to address 20 security vulnerabilities in Adobe Reader and Acrobat. This update affects both Windows and Mac systems
APSB14-29 -- Important
The Adobe ColdFusion update APSB14-29 affects version 10 and 11 of ColdFusion and attempts to resolve a resource consumption issue that could possibly result in a denial of service scenario.
Google Chrome has released an update 39.0.2171.95 as part of its stable channel update process to support the Priority 1 Adobe Flash security update. You can have a look at the full list of changes in the Google Chrome release log found here.