It is the very last Patch Tuesday of 2014 and what a year it has been. Microsoft has had 11 tries and has yet to have a completely flawless patching month. Could this be the month Microsoft finally gets it right? Could December's Patch Tuesday produce a Christmas miracle, or just a Festivus for the rest of us when we can air our patching grievances? Time will tell, and I'll be keeping my ear to the ground to let you know of any reported problems, but at least you need to know what's included in today's stack of updates.
Here's what you can expect.
MS14-075 – This is the bulletin set to release last month, but shelved due to an installation problem. It is a fix for Microsoft Exchange server that can allow attackers to send email that appears from other users. Rating: Important
MS14-080 – Internet Explorer is no stranger to Patch Tuesday. This month's edition resolves over 14 privately reported vulnerabilities including Remote Code Execution and an ASLR bypass. Rating: Critical
MS14-081 – Microsoft Word and Office Web Apps are vulnerable to Remote Code Execution in the context of the currently logged on user. Of course removing Administrator rights from normal users will fix it, but Microsoft is providing a patch anyway. Rating: Critical
MS14-082 – This is another update for Microsoft Word and also covers remote code execution. Rating: Important
MS14-083 – Excel gets a highlight this time, and it too is vulnerable to remote code execution if run by a normal user that has been given administrative credentials. Rating: Important
MS14-084 – Here, Microsoft is seeking to fix a remote code execution flaw in the VBScript Engine. Most IT folks are using PowerShell these days for new scripting projects, but there's a fair amount of VBScript code still out there. This is a client-application vulnerability, so once again, taking away administrative rights would solve the problem. Rating: Critical
Windows JPEG Images
MS14-085 – JPEG images as attack vectors? Apparently so. This vulnerability attacks through Windows JPEG processing and can steal data. Raiting: Important
Discover problems with any of this month's security updates? Let me know and I'll spread the word.