Microsoft November 2014 Patch Tuesday - SANS Internet Storm Center

Important: Please note that Microsoft released EMET 5.1 yesterday to address conflicts between EMET 5.0 / IE 11 and the patches released here (likely MS14-065)

We are aware that bulletin numbers are skipped below. Not sure if they will come later. It is possible that I used a version of the bulletin page that wasn't quite ready yet. I will update this page as needed.

Overview of the November 2014 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS14-064	Vulnerabilities in Windows OLE Could Allow Remote Code Execution (ReplacesMS11-038 MS14-060 )
MS14-064	Microsoft Windows CVE-2014-6332 CVE-2014-6352	KB 3011443	This fixes the OLE/PPT vuln that has been exploited and was partially fixed by MS14-060.	Severity:Critical Exploitability: 1	Critical	Important
MS14-065	Cumulative Security Update for Internet Explorer (ReplacesMS14-056 )
MS14-065	Microsoft Windows, Internet Explorer , CVE-2014-4143, CVE-2014-6323, CVE-2014-6337, CVE-2014-6339, CVE-2014-6340, CVE-2014-6341, CVE-2014-6342, CVE-2014-6343, CVE-2014-6344, CVE-2014-6345, CVE-2014-6346, CVE-2014-6347, CVE-2014-6348, CVE-2014-6349, CVE-2014-6350, CVE-2014-6351, CVE-2014-6353	KB 3003057		Severity:Critical Exploitability: 1	Critical	Important
MS14-066	Vulnerability in Schannel Could Allow Remote Code Execution (ReplacesMS10-085 MS12-049 )
MS14-066	Microsoft Windows CVE-2014-6321	KB 2992611		Severity:Critical Exploitability: 1	Important	Critical
MS14-067	Vulnerability in XML Core Services Could Allow Remote Code Execution (ReplacesMS14-005 MS14-033 )
MS14-067	Microsoft Windows CVE-2014-4118	KB 2993958	.	Severity:Critical Exploitability: 2	Critical	Critical
MS14-069	Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (ReplacesMS14-017 MS14-061 )
MS14-069	Microsoft Office CVE-2014-6333 CVE-2014-6334 CVE-2014-6335	KB 3009710		Severity:Important Exploitability: 1	Critical	Important
MS14-070	Vulnerability in TCP/IP Could Allow Elevation of Privilege (ReplacesMS09-048 )
MS14-070	Microsoft Windows CVE-2014-4076	KB 2989935	vuln. publicly known	Severity:Important Exploitability: 2	Important	Important
MS14-071	Vulnerability in Windows Audio Service Could Allow Elevation of Privilege
MS14-071	Microsoft Windows CVE-2014-6322	KB 3005607		Severity:Important Exploitability: 2	Important	Important
MS14-072	Vulnerability in .NET Framework Could Allow Elevation of Privilege (ReplacesMS14-026 )
MS14-072	Microsoft Windows, Microsoft .NET Framework CVE-2014-4149	KB 3005210		Severity:Important Exploitability: 2	Important	Important
MS14-073	Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (ReplacesMS13-084 )
MS14-073	Microsoft Server Software CVE-2014-4116	KB 3000431		Severity:Important Exploitability: 2	Important	Important
MS14-074	Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (ReplacesMS10-085 MS14-030 )
MS14-074	Microsoft Windows CVE-2014-6318	KB 3003743		Severity:Important Exploitability: 3	Important	Important
MS14-076	Vulnerability in Internet Information Services
MS14-076	Microsoft Windows CVE-2014-4078	KB 2982998		Severity:Important Exploitability: 3	Important	Important
MS14-077	Vulnerability in Active Directory Federation Services Could Allow Information Disclosure
MS14-077	Microsoft Windows CVE-2014-6331	KB 3003381		Severity:Important Exploitability: 3	Important	Important
MS14-078	Vulnerability in IME
MS14-078	Microsoft Windows,Microsoft Office CVE-2014-4077	KB 3005210	already exploited	Severity:Moderate Exploitability: 0	Important	Moderate
MS14-079	Vulnerability in Kernel Mode Driver Could Allow Denial of Service (ReplacesMS14-058 )
MS14-079	Microsoft Windows CVE-2014-6317	KB 3002885		Severity:Moderate Exploitability: 3	Moderate	Moderate

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

Johannes

4510 Posts
ISC Handler

Nov 11th 2014

I'm struggling with fully understanding ms14-066. It's Microsoft SecureChannel... "Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption.

Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications."

So is it appropriate to interpret this as saying my IIS servers supporting HTTPS connections, have an unauthenticated RCE vuln? Or is it more complicated than that?

justageek

7 Posts

MS14-066: How wormable is this one? Microsoft says "The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server." There isn't a lot of technical info regarding how those packets could get into schannel. Does it require a secure connection first, or is it exploited while the connection is being negotiated?

Also, the SRD blog says "Most likely attack vector: User browses to a malicious webpage." While not a total contradiction, it does spin the vulnerability in a different light.

Any thoughts?

justageek
3 Posts

The official bulletin for the November 2014 updates states:

MS14-068 -- Release date to be determined
----------------

So, you have not "skipped" anything.

Anonymous

Also released yesterday: A new KB http://support.microsoft.com/kb/3008627 related to the KB2918614 aka MS14-049 patch which was released in August 2014.

KB3008627 was released to address "This [unexpected UAC prompt] issue occurs because already installed applications do not have their hash cache created after update 2918614 is installed. When a repair is triggered for these applications, Microsoft Installer (MSI) cannot validate the installation files. Therefore, MSI needs consent from the user to finish the repair."

dotBATman

70 Posts

According to an article in arstechnika the SChannel vulnerability (MS14-66) affects the TLS stack and therefore ANY software acting as a server and creating/listening to an encrypted port if using microsofts schannel instead, for example, openssl.

http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/

Article cites Qualys's Director of Engineering on this one.

If this is the case, prepare for a quick exploit wave and if this happens the ISC rating for servers should be PATCH NOW.

Paul

13 Posts

KB 3006226, the OLE vulnerability patch, is really messing with some graphics programs. I use a program called ATCS Monitor, which shows you the location of trains if the train line signals are broadcast via radio. It's giving false indications that a train has a "green" light, and gives green lights to "phantom" trains that don't exist. Uninstalling this update fixes the problem, and is widely reported on the ATCS Monitor Yahoo! users' group.

Gilbert

21 Posts