Microsoft has now "released the hounds," as it were, and the November updates are available for either download or to receive through your Windows Update connected services (WSUS, Configuration Manager, 3rd party patching mechanisms. This month, Microsoft is delivering a huge number of updates. It's not a record number, but still pretty significant.
For many companies, due to the problems with Microsoft's updates over the last few years, and really highlighted with exclamation points over the last few months, IT organizations are delaying applying updates longer than normal. A lot of IT folks are so tentative with their patching routines now, they sit and wait to hear of publicized problems before even attempting to start testing. Even if they've not been impacted directly (Microsoft says the problems have had minimal customer impact), they still prefer to wait.
But, unfortunately, a few of the updates releasing this month should be considered critical and testing should probably start right away. I think it helps to have a list of what is being patched versus what effect it could have should delivering the updates be delayed.
Here's the list of what's being rolled out. To make it a bit easier to get a sense of the specific vulnerabilities, I've boldened the explicit attack vectors.
MS14-064 - Resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The vulnerabilities could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. Severity Rating: Critical
MS14-065 - Resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Severity Rating: Critical
MS14-066 - Resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. Severity Rating: Critical
MS14-067 - Resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. Severity Rating: Critical
MS14-069 - Resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office 2007. Severity Rating: Important
MS14-070 - Resolves a publically reported vulnerability in TCP/IP that occurs during input/output control (IOCTL) processing. This vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. Severity Rating: Important
MS14-071 - Resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an application uses the Microsoft Windows Audio service. Severity Rating: Important
MS14-072 - Resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. Severity Rating: Important
MS14-073 - Resolves a privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site. Severity Rating: Important
MS14-074 - Resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass when Remote Desktop Protocol (RDP) fails to properly log audit events. Severity Rating: Important
MS14-076 - Resolves a privately reported vulnerability in Internet Microsoft Information Services (IIS) that could lead to a bypass of the "IP and domain restrictions" security feature. Successful exploitation of this vulnerability could result in clients from restricted or blocked domains having access to restricted web resources. Severity Rating: Important
MS14-077 - Resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the user has logged off. Severity Rating: Important
MS14-078 - Resolves a privately reported vulnerability in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could allow sandbox escape based on the application sandbox policy on a system where an affected version of the Microsoft IME (Japanese) is installed. Severity Rating: Moderate
MS14-079 - Resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. Severity Rating: Moderate
So, that's it…whew! So, you see, there are some in the list that you should really take notice of and start testing now. The security updates denoted as being "privately reported" usually means that great care has been taken to keep the vulnerability quiet in an attempt to keep attacks at bay until a fix is available. To add to this, don't forget that Microsoft released an updated EMET yesterday, just hours before today's updates were released. Don't think that there's not a significant reason for that. The new EMET fixes a compatibility issue with an update for Internet Explorer that released today. On one hand, it's great to hear that the EMET and Update teams are talking and working together, but at the same time it represents an issue that needed to be ironed-out prior to the updates delivering – possibly because Microsoft was worried that workable mitigations might be needed.
Get patching! I'll keep my ear to the pipes and let you know if any of today's updates are reported to cause problems.
