Microsoft Patch Tuesday - December 2014

Published: 2014-12-09. Last Updated: 2014-12-09 19:25:36 UTC
by Alex Stanford (Version: 1)

Overview of the December 2014 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS14-075	Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (Replaces MS13-105)
MS14-075	Microsoft Exchange CVE-2014-6319 CVE-2014-6325 CVE-2014-6326 CVE-2014-6336	KB 3009712	.	Severity:Important Exploitability:	N/A	Important
MS14-080	Cumulative Security Update for Internet Explorer (Replaces MS14-065)
MS14-080	Microsoft Windows, Internet Explorer CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966	KB 3008923	.	Severity:Critical Exploitability:	Critical	Critical
MS14-081	Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (Replaces MS14-017 MS14-061 MS14-069)
MS14-081	Microsoft Office CVE-2014-6356 CVE-2014-6357	KB 3017301	.	Severity:Critical Exploitability:	Critical	Important
MS14-082	Vulnerability in Microsoft Office Could Allow Remote Code Execution (Replaces MS09-060)
MS14-082	Microsoft Office CVE-2014-6364	KB 3017349	.	Severity:Important Exploitability:	Critical	Important
MS14-083	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS13-085)
MS14-083	Microsoft Office CVE-2014-6360 CVE-2014-6361	KB 3017347	.	Severity:Important Exploitability:	Critical	Important
MS14-084	Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (Replaces MS14-011)
MS14-084	Microsoft Windows CVE-2014-6363	KB 3016711	.	Severity:Critical Exploitability:	Critical	Critical
MS14-085	Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure
MS14-085	Microsoft Windows CVE-2014-6355	KB 3013126	vuln. public.	Severity:Important Exploitability:	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

--
Alex Stanford - GIAC GWEB & GSEC
Research Operations Manager,
SANS Internet Storm Center

Keywords: mspatchday

18 comment(s)

Comments

Microsoft have outdone themselves this month. Every single "contra-indications" KB is missing at this time (19:30 GMT)

The color-coded text is confusing. The "key" says that "white on red" is "PATCH NOW" while "black on red" is "Critical" - yet the table is formatted with "white on red" text that says "Critical". If you're going to use four different styles for the four levels, you should probably follow your style decision (Critical texts needs a "color: black" or "color: #000" rather than currently specified "#fff" value.)

Also, the key text for the fourth level starts with "Less Urt practices", which probably needs some editing.

Obviously, there's no need to publicly post this comment.

Agree, the missing KB's are getting annoying.

KB articles are now in place (22:50 GMT)

We've applied the patches to our test environment PC (Windows 7) and afterwards MS Office failed to open users previous documents. When applied to a second system the same results happened. Highly recommend that everyone test heavily before applying to your production environment.

...and it looks like the Silverlight patch broke NetFlix. Good job MS.

Where are 76-79?

Remember the exchange update was delayed from last month ergo the skip in numbers.

Also be aware of issues with KB3004394
http://www.infoworld.com/article/2858014/operating-systems/botched-kb-3004394-triggers-uacs-diagnostic-tool-error-0x8000706f7-amd-catalyst-driver-fail-defende.html

Please note that update MS14-075 for Exchange 2010 SP3 has been removed by Microsoft to "address a know issue"

Internet Storm Center

Microsoft Patch Tuesday - December 2014

Comments

Anonymous

Dec 9th 2014
9 years ago

Anonymous

Dec 9th 2014
9 years ago

Anonymous

Dec 9th 2014
9 years ago

Anonymous

Dec 9th 2014
9 years ago

Anonymous

Dec 9th 2014
9 years ago

Anonymous

Dec 10th 2014
9 years ago

Anonymous

Dec 10th 2014
9 years ago

Anonymous

Dec 10th 2014
9 years ago

Anonymous

Dec 10th 2014
9 years ago

Anonymous

Dec 11th 2014
9 years ago

Microsoft Patch Tuesday - December 2014

Comments

Anonymous

Dec 9th 20149 years ago

Anonymous

Dec 9th 20149 years ago

Anonymous

Dec 9th 20149 years ago

Anonymous

Dec 9th 20149 years ago

Anonymous

Dec 9th 20149 years ago

Anonymous

Dec 10th 20149 years ago

Anonymous

Dec 10th 20149 years ago

Anonymous

Dec 10th 20149 years ago

Anonymous

Dec 10th 20149 years ago

Anonymous

Dec 11th 20149 years ago

Dec 9th 2014
9 years ago

Dec 9th 2014
9 years ago

Dec 9th 2014
9 years ago

Dec 9th 2014
9 years ago

Dec 9th 2014
9 years ago

Dec 10th 2014
9 years ago

Dec 10th 2014
9 years ago

Dec 10th 2014
9 years ago

Dec 10th 2014
9 years ago

Dec 11th 2014
9 years ago