Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft Patch Tuesday - December 2014 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Patch Tuesday - December 2014

Overview of the December 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege
(Replaces MS13-105)
Microsoft Exchange

CVE-2014-6319
CVE-2014-6325
CVE-2014-6326
CVE-2014-6336
KB 3009712 . Severity:Important
Exploitability:
N/A Important
MS14-080 Cumulative Security Update for Internet Explorer
(Replaces MS14-065)
Microsoft Windows, Internet Explorer
CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966
KB 3008923 . Severity:Critical
Exploitability:
Critical Critical
MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-017 MS14-061 MS14-069)
Microsoft Office

CVE-2014-6356
CVE-2014-6357
KB 3017301 . Severity:Critical
Exploitability:
Critical Important
MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution
(Replaces MS09-060)
Microsoft Office

CVE-2014-6364
KB 3017349 . Severity:Important
Exploitability:
Critical Important
MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(Replaces MS13-085)
Microsoft Office

CVE-2014-6360
CVE-2014-6361
KB 3017347 . Severity:Important
Exploitability:
Critical Important
MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
(Replaces MS14-011)
Microsoft Windows

CVE-2014-6363
KB 3016711 . Severity:Critical
Exploitability:
Critical Critical
MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure
Microsoft Windows

CVE-2014-6355
KB 3013126 vuln. public. Severity:Important
Exploitability:
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

-- 
Alex Stanford - GIAC GWEB & GSEC
Research Operations Manager,
SANS Internet Storm Center

Alex Stanford

136 Posts
Microsoft have outdone themselves this month. Every single "contra-indications" KB is missing at this time (19:30 GMT)
Rabbi

7 Posts Posts
The color-coded text is confusing. The "key" says that "white on red" is "PATCH NOW" while "black on red" is "Critical" - yet the table is formatted with "white on red" text that says "Critical". If you're going to use four different styles for the four levels, you should probably follow your style decision (Critical texts needs a "color: black" or "color: #000" rather than currently specified "#fff" value.)

Also, the key text for the fourth level starts with "Less Urt practices", which probably needs some editing.

Obviously, there's no need to publicly post this comment.
Landrew

6 Posts Posts
Agree, the missing KB's are getting annoying.
Anonymous

Posts
KB articles are now in place (22:50 GMT)
Rabbi

7 Posts Posts
We've applied the patches to our test environment PC (Windows 7) and afterwards MS Office failed to open users previous documents. When applied to a second system the same results happened. Highly recommend that everyone test heavily before applying to your production environment.
Anonymous

Posts
...and it looks like the Silverlight patch broke NetFlix. Good job MS.
Anonymous

Posts
Where are 76-79?
jbmartin6

20 Posts Posts
Remember the exchange update was delayed from last month ergo the skip in numbers.
Susan

34 Posts Posts
Also be aware of issues with KB3004394
http://www.infoworld.com/article/2858014/operating-systems/botched-kb-3004394-triggers-uacs-diagnostic-tool-error-0x8000706f7-amd-catalyst-driver-fail-defende.html
Susan

34 Posts Posts
Please note that update MS14-075 for Exchange 2010 SP3 has been removed by Microsoft to "address a know issue"
Anonymous

Posts
I think this brings all of the known problems with this month's patches up-to-date. Additional info always welcome: woody at ask woody dot com.

http://www.infoworld.com/article/2858280/operating-systems/botch-brigade-kb-2553154-2726958-clobber-excel-activex-kb-3011970-silverlight-kb-3004394-root-cert.html
WoodyLeonhard

8 Posts Posts
I am seeing errors in IE9 on multiple Windows 7 (32 & 64-bit) computers relating to MS14-080. Appears to crash IE repeatedly when accessing pages using frames.

EVENT LOG: Application
EVENT TYPE: Error
SOURCE: Application Error
CATEGORY: Application Crashing Events
EVENT ID: 1000
COMPUTER:
TIME: Thu 2014-12-11 08:52:14 AM
MESSAGE: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b Faulting module name: IEFRAME.dll, version: 9.0.8112.16599, time stamp: 0x547396ec Exception code: 0xc0000005 Fault offset: 0x001a8290 Faulting process id: 0x13e8 Faulting application start time: 0x01d015520bb830fa Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\system32\IEFRAME.dll Report Id: 4adcd51a-8145-11e4-9906-7845c40d6d6c

Anyone else?
Michelle

1 Posts Posts
Microsoft has released a new "Important" update:
"Install KB3024777 to fix an issue with KB3004394 on Windows 7 and Windows Server 2008 R2".

"The KB 3004394 update that was dated December 10, 2014 can cause additional problems on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. This new update is available to remove KB 3004394 from your computer..."

Ref:
https://support.microsoft.com/kb/3024777
Anonymous

Posts
I am seeing the same ieframe.dll Event id 1000 on several win7 64bit machines running IE10.
Steve

1 Posts Posts
Microsoft has released KB3025390, this is an add-on - it does not replace any updates. It was released to address issues seen with modal dialog boxes after installing KB300892 - MS14-080 for Internet Explorer 11.

"you may experience unexpected behavior when you interact with sites that use one or more web application modal dialog boxes"

http://support2.microsoft.com/kb/3025390
dotBATman

60 Posts Posts
Yes, I am too. Not that saying so helps much. About 100 affected machines, but about 1400 unaffected. Looking for differences now. Have you found anything yet?
Anonymous

Posts
Will this announcement from Microsoft affect your ability to compile this information going forward? They are discontinuing advance notification public disclosure.
http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notification-service-ans-in-2015.aspx
Anonymous

Posts
The advance notifications are a bit too vague to help much with our summary. We used to receive a copy of the final bulletin a couple hours before the official release, allowing us to process them. But Microsoft stopped doing that a while (2 years?) ago without ever explaining why. At this point, we are just "refreshing our browsers" like anybody else and then quickly compiling the bulletins into our digest.
Johannes

3112 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!