Microsoft October 2014 Patch Tuesday - SANS Internet Storm Center

Microsoft only published 8 instead of the promised 9 bulletins. Also, of particular interest is MS14-060 which was pre-announced by iSight Partners. iSight has seen this vulnerability exploited in some "APT" style attacks against NATO/US military interests and attributes these attacks to Russia. Attacks like this have happened with many Office vulnerabilities in the past, but it is unusual for a company to announce the respective attacks and CVE numbers ahead of Microsoft's bulletin release. Note that we got a total of 3 already exploited vulnerabilities in this month's release. Don't believe patching fast will protect you. You are probably a few weeks if not months behind at the time the patch is released.

Overview of the October 2014 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS14-056	Cumulative Security Update for Internet Explorer (replaces MS14-052)
MS14-056	Microsoft Windows, Internet Explorer CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4141, CVE-2014-4123, CVE-2014-4124, CVE-2014-4126, CVE-2014-4127, CVE-2014-4128, CVE-2014-4129, CVE-2014-4130, CVE-2014-4132, CVE-2014-4133, CVE-2014-4134, CVE-2014-4137, CVE-2014-4138, CVE-2014-4140, CVE-2014-4141	KB 2987107	CVE-2014-4123 has been exploited.	Severity:Critical Exploitability: 1	Critical	Important
MS14-057	Vulnerabilities in .NET Framework Could Allow Remote Code Execution (replaces MS12-016)
MS14-057	Microsoft Windows, Microsoft .NET Framework CVE-2014-4073 CVE-2014-4121 CVE-2014-4122	KB 3000414	No.	Severity:Critical Exploitability: 2	Critical	Critical
MS14-058	Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (replaces MS14-015)
MS14-058	Microsoft Windows CVE-2014-4113 CVE-2014-4148	KB 3000061	Yes. Used in Limited Attacks	Severity:Critical Exploitability: 0	Critical	Critical
MS14-059	Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass
MS14-059	Microsoft Developer Tools CVE-2014-4075	KB 2990942	Publicly disclosed,not exploited.	Severity:Important Exploitability: 3	Less Important	Important
MS14-060	Vulnerability in Windows OLE Could Allow Remote Code Execution (replaces MS12-005)
MS14-060	Microsoft Windows CVE-2014-4114	KB 3000869	yes. against powerpoint. See iSight disclosure.	Severity:Important Exploitability: 0	Critical	Important
MS14-061	Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (MS14-034, MS14-017)
MS14-061	Microsoft Office, Microsoft Office Services, Microsoft Office Web Apps CVE-2014-4117	KB 3000434	No.	Severity:Important Exploitability: 1	Critical	Important
MS14-062	Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (MS09-040)
MS14-062	Microsoft Windows CVE-2014-4971	KB 2993254	publicly disclosed but not exploited.	Severity:Important Exploitability: 1	Important	Important
MS14-063	Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege
MS14-063	Microsoft Windows CVE-2014-4115	KB 2998579	No.	Severity:Important Exploitability: 1	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical enviro\ nments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical \ deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to t\ est and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or lei\ sure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

Johannes

4511 Posts
ISC Handler

Oct 14th 2014

MS14-058 - I think you just used the wrong rating, should be red and critical. I notice you have mentioned its critical but have used orange for moderate.

Zain Khan

4 Posts

Thanks! I fixed it. I didn't pay attention on this one and marked it as "important" like prior kernel driver priv. escalation vuln. But this one is a remote code exec vulnerability and has already been exploited.

Johannes

4511 Posts
ISC Handler

I also see some security "advisories":
Vulnerability in SSL 3.0 Could Allow Information Disclosure
https://technet.microsoft.com/library/security/3009008
Update for Microsoft EAP Implementation that Enables the Use of TLS
https://technet.microsoft.com/library/security/2977292
Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2
https://technet.microsoft.com/library/security/2949927

And a question: that last one (2949927) was removed, with a
recommendation to un-install. Does this qualify as a "pulled patch"?
What was the problem?

Paul Szabo

14 Posts