Microsoft released seven security bulletins today to address 24 vulnerabilities, including critical updates for Internet Explorer, Windows and Microsoft Office.
The Internet Explorer bulletin, MS14-080, has the broadest scope, and contains 14 CVEs – none of which are known to be under attack, said Ross Barrett, senior manager of security engineering at Rapid7. The IE bulletin also shares a CVE with MS14-084, the critical Windows update.
“The shared CVE with MS14-084 presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE,” he said. “Systems without IE will only be offered the MS14-084 patch. Systems with IE 8 and older will be offered the MS14-080 AND the MS14-084 patch. Systems with IE 9 or later will not be offered the MS14-084 patch because the issue is addressed by the MS14-080 patch. Clear as mud, right?”
MS14-084 resolves a vulnerability in the VBScript scripting engine that could enable an attacker to remotely execute code if a user visits a specially-crafted website. MS14-081 is the final critical bulletin, and is aimed at vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software.
“In most cases this type of issue would only be important, because typically a document format use-after-free issue requires user interaction to exploit, but in this case because of the potential for exploitation through Sharepoint Web Apps the risk is greater,” Barrett said, who said that MS14-80 and MS14-084 should be the top patching priorities.
Next on the list, he added, should be MS14-081 and MS14-075, the latter of which addresses four vulnerabilities in Microsoft Exchange Server and is ranked as ‘important’. MS14-075 was deferred last month. The remaining bulletins are also classified as ‘important’, and impact Microsoft Office, Excel and Windows.
In addition to the Microsoft fixes, Adobe released patches for Flash, Shockwave, Reader, Acrobat and ColdFusion. The Flash update fixes six vulnerabilities, one of which is currently being exploited in the wild (CVE-2014-9163), noted Chris Goettl, product manager with Shavlik Technologies.
“Along with Flash, admins will need to deploy the Internet Explorer Advisory and a new release for Google Chrome, both of which will allow the plug-in to be updated in the browsers,” he said. “Adobe also had another release since last Patch Tuesday, so if you haven¹t patched your system in a month, you will have two pending updates.”
“The Adobe Acrobat and Reader updates include resolution to 20 vulnerabilities,” Goettl added. “Adobe also rates this as a Priority 1 update. Some of the vulnerabilities being resolved could allow an attacker to take control of the system.”