Microsoft Closes Out 2014 Addressing Internet Explorer, Office Flaws
Microsoft repaired 24 vulnerabilities impacting Windows, Internet Explorer, its Office suite and Exchange server this week, issuing its final regularly scheduled round of security updates in 2014.
The software maker issued seven security bulletins for December, including three critical updates resolving 14 vulnerabilities in Internet Explorer, coding errors in Microsoft Word and Microsoft Office Web Apps, and a serious error in the Windows VBScript scripting engine.
If the software maker were to issue no emergency security updates the rest of the year, the total number of Microsoft security bulletins for the year will end at 85, not a particularly high number of updates, according to Wolfgang Kandek, CTO of vulnerability management vendor Qualys. Kandek said patching administrators should focus on the updates that could be remotely exploited.
[Related: Third-Party Software, Browser Components Account For Most Flaws, Study Finds]
The Internet Explorer and VBScript engine updates can be exploited if a user visits an attack webpage. Microsoft said the Internet Explorer update enables the browser to use Address Space Layout Randomization, a security feature that restricts malicious code from executing in memory. It also addresses how the browser handles objects in memory and repairs its cross-site scripting filter.
Attackers are increasingly infiltrating websites and setting up attack platforms that incorporate some of the latest vulnerabilities in them, Kandek said.
The Internet Explorer update impacts all currently supported versions of the browser. The security update for VBScript is critical for Windows Vista and Windows 7 and rated important for other supported versions of Windows. A cumulative update for Internet Explorer also addresses issues some customers had with the browser patches last month. Kandek also pointed to vulnerabilities addressed in Microsoft Word and Excel that are serious because they enable an attacker to exploit the errors by getting users to open a malicious document or file attachment.
"Attackers have become very proficient in these types of attacks by adapting the document title and content in question to the interests of the target, and document attacks are quite successful," Kandek said.
Browser vulnerabilities and the failure to repair critical components are consistent problems at most organizations, resulting in infected systems, solution providers told CRN. Most attacks are targeting Web vulnerabilities and are hitting the clients and not necessarily a server of cloud-based platforms, said Marshall Butler, vice president of sales at DMD Data Systems in Louisville, Ky.
"Patching is a tremendous issue," Butler said. "Many of the threats happen when a user is interfacing with Web applications from their machine and exploitation happens on the desktop."
In addition to the client-side updates, Microsoft issued repairs to Exchange server, addressing four vulnerabilities rated Important. The update impacts Exchange Server 2007, 2010 and 2013. An attacker could use the coding errors by pasting a malicious link in an email to spoof a Web page or elevate system privileges, an attack technique often used in a multistaged attack.
Solution providers also toldl CRN that system administrators need to review network security devices that may be supported by SSLv3, which is impacted by the POODLE vulnerabilities. Browser makers pulled support for the version of the encryption protocol in October when research identified a technique to gain access to encrypted communication. The latest research indicates that certain implementations of TLS can also be exploited using the technique.
Adobe Systems also issued two security advisories this week in conjunction with Microsoft's update. The company updated Adobe Flash, repairing six critical vulnerabilities in the ubiquitous browser component. It also fixed 20 critical coding errors in Adobe Reader and Acrobat. A hotfix for ColdFusion versions 10 and 11 repair a resource consumption issue that can result in a system crash.
"These updates address vulnerabilities that could potentially allow an attacker to take over the affected system," Adobe said in its advisory.
PUBLISHED DEC. 10, 2014