Microsoft Patch Tuesday - December 2014
Overview of the December 2014 Microsoft patches and their status.
| # | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS14-075 | Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (Replaces MS13-105) |
|||||
| Microsoft Exchange CVE-2014-6319 CVE-2014-6325 CVE-2014-6326 CVE-2014-6336 |
KB 3009712 | . | Severity:Important Exploitability: |
N/A | Important | |
| MS14-080 | Cumulative Security Update for Internet Explorer (Replaces MS14-065) |
|||||
| Microsoft Windows, Internet Explorer CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966 |
KB 3008923 | . | Severity:Critical Exploitability: |
Critical | Critical | |
| MS14-081 | Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (Replaces MS14-017 MS14-061 MS14-069) |
|||||
| Microsoft Office CVE-2014-6356 CVE-2014-6357 |
KB 3017301 | . | Severity:Critical Exploitability: |
Critical | Important | |
| MS14-082 | Vulnerability in Microsoft Office Could Allow Remote Code Execution (Replaces MS09-060) |
|||||
| Microsoft Office CVE-2014-6364 |
KB 3017349 | . | Severity:Important Exploitability: |
Critical | Important | |
| MS14-083 | Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS13-085) |
|||||
| Microsoft Office CVE-2014-6360 CVE-2014-6361 |
KB 3017347 | . | Severity:Important Exploitability: |
Critical | Important | |
| MS14-084 | Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (Replaces MS14-011) |
|||||
| Microsoft Windows CVE-2014-6363 |
KB 3016711 | . | Severity:Critical Exploitability: |
Critical | Critical | |
| MS14-085 | Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure | |||||
| Microsoft Windows CVE-2014-6355 |
KB 3013126 | vuln. public. | Severity:Important Exploitability: |
Important | Important | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
--
Alex Stanford - GIAC GWEB & GSEC
Research Operations Manager,
SANS Internet Storm Center
POODLE Strikes (Bites?) Again
As Adam Langley notes in his blog [1], the POODLE vulnerability may be found in some implementations of TLS, not just in SSLv3.
The problem is an implementation issue, not so much a problem with the standard as in the original SSLv3 instance. The POODLE vulnerability was caused by SSLv3's use of unspecified, and unprotected use of padding. In TLS, the padding is specified, and TLS should no longer be vulnerable to the attack. However, it turns out that some implementations will not verify if the correct padding was used. An incorrect padding would go unnoticed (just like in SSLv3) and could lead to the POODLE problem.
On the other hand: We still haven't seen widespread (any?) exploitation of the POODLE vulnerability. So focus on what Microsoft has to offer first today, then take a look if you still have some outstanding "Poodles" in your network. F5 load-balancers apparently suffer from the new problem.
In addition, Heise.de notes that Kaspersky's Internet Security product, which implements a proxy on the protected host, still supports SSLv3 and may cause connections to be downgraded to SSLv3, even if the user's browser no longer supports SSLv3.
[1] https://www.imperialviolet.org
Comments