Hi All
The purpose of this alert is to provide you with an overview of
the new security bulletin(s) being released on November
11, 2014. New security bulletins are released monthly to address
critical product vulnerabilities.
Microsoft is releasing the following fourteen
(14) new security bulletins for newly discovered vulnerabilities.
|
BULLETIN
NUMBER
|
SEVERITY
|
BULLETIN
TITLE
&
KB Article
|
AFFECTED
SOFTWARE*
|
IMPACT
|
RESTART
|
CVE
Vulnerability #
|
|
|
Critical
|
Vulnerabilities in Windows OLE Could Allow Remote Code
Execution (3011443)
|
All supported editions of Microsoft Windows.
|
Remote Code Execution
|
May require
|
|
|
|
Critical
|
Cumulative Security Update for Internet Explorer
(3003057)
|
Internet Explorer 6, Internet Explorer 7, Internet
Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer
11 on affected Windows clients and servers.
|
Remote Code Execution
|
Requires
|
CVE-2014-4143, CVE-2014-6337, CVE-2014-6341, CVE-2014-6342, CVE-2014-6343, CVE-2014-6344, CVE-2014-6347, CVE-2014-6348, CVE-2014-6351, CVE-2014-6353, CVE-2014-6349, CVE-2014-6350
|
|
|
Critical
|
Vulnerability in Schannel Could Allow Remote Code
Execution (2992611)
|
All supported releases of Microsoft Windows.
|
Remote Code Execution
|
Requires
|
|
|
|
Critical
|
Vulnerability in XML Core Services Could Allow Remote
Code Execution (2993958)
|
All supported releases of Microsoft Windows.
|
Remote Code Execution
|
May
require
|
|
|
|
Important
|
Vulnerabilities in Microsoft Office Could Allow Remote
Code Execution (3009710)
|
Microsoft Word 2007, Microsoft Word Viewer, and
Microsoft Office Compatibility Pack.
|
Remote Code Execution
|
May
require
|
|
|
|
Important
|
Vulnerability in TCP/IP Could Allow Elevation of
Privilege (2989935)
|
Microsoft Windows Server 2003.
|
Elevation of Privilege
|
May
require
|
|
|
|
Important
|
Vulnerability in Windows Audio Service Could Allow
Elevation of Privilege (3005607)
|
Microsoft Windows Vista, Windows Server 2008, Windows
7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012,
Windows Server 2012 R2, Windows RT, and Windows RT 8.1.
|
Elevation of Privilege
|
Requires
|
|
|
|
Important
|
Vulnerability in .NET Framework Could Allow Elevation
of Privilege (3005210)
|
Microsoft .NET Framework 1.1 Service Pack 1, .NET
Framework 2.0 Service Pack 2, .NET Framework 3.5, .NET Framework 3.5.1, .NET
Framework 4, .NET Framework 4.5, .NET Framework 4.5.1, and .NET
Framework 4.5.2 on affected releases of Microsoft Windows.
|
Elevation of Privilege
|
May require
|
|
|
|
Important
|
Vulnerability in Microsoft SharePoint Foundation Could
Allow Elevation of Privilege (3000431)
|
Microsoft SharePoint Server 2010.
|
Elevation of Privilege
|
May require
|
|
|
|
Important
|
Vulnerability in Remote Desktop Protocol Could Allow
Security Feature Bypass (3003743)
|
Microsoft Windows Vista, Windows Server 2008, Windows
7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT,
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
|
Security Feature Bypass
|
Requires
|
|
|
|
Important
|
Vulnerability in Internet Information Services (IIS)
Could Allow Security Feature Bypass (2982998)
|
Microsoft Windows 8, Windows 8.1, Windows Server 2012,
and Windows Server 2012 R2 RTM.
|
Security Feature Bypass
|
May
require
|
|
|
|
Important
|
Vulnerability in Active Directory Federation Services
Could Allow Information Disclosure (3003381)
|
Active Directory Federation Services 2.0,
|
Information Disclosure
|
May
require
|
|
|
|
Moderate
|
Vulnerability in IME (Japanese) Could Allow Elevation
of Privilege (2992719)
|
Active Directory Federation Services 2.1, and Active
Directory Federation Services 3.0.
|
Elevation of Privilege
|
May
require
|
|
|
|
Moderate
|
Vulnerability in Kernel-Mode Driver Could Allow Denial
of Service (3002885)
|
Windows Server 2003, Windows Vista, Windows Server
2008, Windows 7, and Windows Server 2008 R2, and Microsoft Office 2007.
|
Denial of Service
|
Requires
|
|
Customers are advised to review
the information in these bulletins, test and deploy the updates immediately in
their environments, if applicable.
Note: In Microsoft’s Advance Notification last week there was
mention of plans to release 16 new security bulletins. In the list of 14
bulletins released today, the bulletin numbering skips MS14-068 and MS14-075.
The reason for this is that two of the scheduled security bulletins have
slipped out of the November bulletin release due to a quality issue found in
testing early this week. The bulletins that have slipped out of the November
bulletin release are being fixed and will be released once they meet quality standards
sufficient for broad public distribution. There is no specific ETA for release
of these bulletins at this time.
The
Malicious Software Removal Tool and Non-Security Updates
·
Microsoft is releasing an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Server Update Services (WSUS),
Windows Update (WU), and the Download Center. Information on the Microsoft
Windows Malicious Software Removal Tool is available at http://support.microsoft.com/?kbid=890830.
· High priority non-security updates Microsoft releases to be
available on Microsoft Update (MU), Windows Update (WU), or Windows Server
Update Services (WSUS) will be detailed in the KB article found at http://support.microsoft.com/?id=894199.
Re-released
Security Advisory
Microsoft rereleased one (1)
security advisory on November 11, 2014. Here is an overview:
|
Security
Advisory 2755801
|
Update for
Vulnerabilities in Adobe Flash Player in Internet Explorer
|
|
What Has
Changed?
|
Microsoft routinely
updates this security advisory to announce the availability of a new update
for Adobe Flash Player. On November 11, 2014, Microsoft released an update
(3004150) for Internet Explorer 10 on Windows 8, Windows Server 2012, and
Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012
R2, and Windows RT 8.1. The update addresses the vulnerabilities described in
Adobe Security bulletin APSB14-24.
For more information about this update, including download links, see Microsoft Knowledge Base
Article 3004150.
|
|
More Information
|
|
Out-of-Date
ActiveX Control Blocking in Internet Explorer
Starting on November 11, 2014, Microsoft will expand the
out-of-date ActiveX control blocking feature to block outdated versions of
Silverlight. This update notifies you when a webpage tries to load a
Silverlight ActiveX control older than (but not including) Silverlight
5.1.30514.0.
Additional resources
New
Security Bulletin Technical Details
In the following tables of affected and non-affected software,
software editions that are not listed are past their support lifecycle. To
determine the support lifecycle for your product and edition, visit the
Microsoft Support Lifecycle website at http://support.microsoft.com/lifecycle/.
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-064
|
|
|
Bulletin Title
|
Vulnerabilities in Windows OLE Could Allow Remote Code
Execution (3011443)
|
|
Executive Summary
|
This security update resolves two privately reported
vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The
most severe of these vulnerabilities could allow remote code execution if a
user views a specially crafted webpage using Internet Explorer. An attacker
who successfully exploited the vulnerabilities could run arbitrary code in
the context of the current user. If the current user is logged on with
administrative user rights, an attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
The security update addresses the vulnerabilities by modifying
how the affected operating systems validate the use of memory when OLE
objects are accessed, and by modifying how Internet Explorer handles objects
in memory.
|
|
Severity Ratings and Affected Software
|
This security update is rated Critical for all supported
editions of Microsoft Windows.
|
|
Attack Vectors
|
CVE-2014-6332:
·
An attacker could host a specially crafted website that is
designed to exploit these vulnerabilities through Internet Explorer, and then
convince a user to view the website.
·
Websites that accept or host user-provided content or
advertisements could contain specially crafted content that could exploit these
vulnerabilities.
CVE-2014-6352:
·
User interaction is required to exploit this vulnerability. For
an attack to be successful by sending an email message to a locally logged-on
user, the user must open an attachment that contains a specially crafted OLE
object.
·
In an email attack scenario, an attacker could exploit the
vulnerability by sending a specially-crafted file to the user and persuading
the user to open the file.
·
In a web-based attack scenario, an attacker would have to host a
website that contains a PowerPoint file that is used to attempt to exploit
this vulnerability.
·
Compromised websites and websites that accept or host
user-provided content could contain specially crafted content that could
exploit this vulnerability.
|
|
Mitigating Factors
|
CVE-2014-6332:
·
Customers whose accounts are configured to have fewer user
rights on the system could be less impacted than those who operate with
administrative user rights.
·
An attacker would have to convince users to visit the website,
typically by getting them to click a link in an email message or
instant message that takes users to the attacker's website.
CVE-2014-6352:
·
In observed attacks, User Account Control (UAC) displays a
consent prompt or an elevation prompt, depending on the privileges of the
current user, before a file containing the exploit is executed. UAC is
enabled by default on Windows Vista and newer releases of Microsoft Windows.
·
Customers whose accounts are configured to have fewer user
rights on the system could be less impacted than those who operate with
administrative user rights.
·
An attacker would have to convince users to visit the website,
typically by getting them to click a link in an email message or
instant message that takes users to the attacker's website.
·
To help protect your computer, files from potentially unsafe
locations are opened in Protected View. By using Protected View, you can read
a file and see its contents while reducing the risks. Protected View is
enabled by default.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
MS11-038 and MS14-060.
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-065
|
|
|
Bulletin Title
|
Cumulative Security Update for Internet Explorer (3003057)
|
|
Executive Summary
|
This security update resolves seventeen privately reported
vulnerabilities in Internet Explorer. The most severe of these
vulnerabilities could allow remote code execution if a user views a specially
crafted webpage using Internet Explorer. An attacker who successfully
exploited these vulnerabilities could gain the same user rights as the
current user.
The security update addresses the vulnerabilities by modifying
the way that Internet Explorer handles objects in memory, by adding
additional permission validations to Internet Explorer, and by helping to
ensure that affected versions of Internet Explorer properly implement the
ASLR security feature.
|
|
Severity Ratings and Affected Software
|
This security update is rated Critical for Internet Explorer 6
(IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet
Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE
11) on affected Windows clients, and Moderate for Internet Explorer 6 (IE 6),
Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9
(IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on
affected Windows servers.
|
|
Attack Vectors
|
·
A maliciously crafted website.
·
Compromised websites and websites that accept or host
user-provided content or advertisements.
Only CVE-2014-6339:
·
An attacker could tie this security feature bypass vulnerability
to an additional vulnerability, usually a remote code execution
vulnerability. The additional vulnerability would take advantage of the
security feature bypass for exploitation. For example, a remote code
execution vulnerability that is blocked by ASLR, could be exploited after a
successful ASLR bypass.
|
|
Mitigating Factors
|
For CVE-2014-6349 and CVE-2014-6350:
·
These vulnerabilities by themselves do not allow arbitrary code
to be run. The vulnerabilities would have to be used in conjunction with
another vulnerability that allowed remote code execution. For example, an
attacker could exploit another vulnerability to run arbitrary code through
Internet Explorer, but due to the context in which processes are launched by
Internet Explorer, the code might be restricted to run at a low integrity
level (very limited permissions). However, an attacker could, in turn,
exploit any of these vulnerabilities to cause the arbitrary code to run at a
medium integrity level (permissions of the current user).
|
|
Restart Requirement
|
This update requires a restart.
|
|
Bulletins Replaced by This Update
|
MS14-056
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-066
|
|
|
Bulletin Title
|
Vulnerability in Schannel Could Allow Remote Code Execution
(2992611)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in the Microsoft Secure Channel (Schannel) security package in Windows. The
vulnerability could allow remote code execution if an attacker sends
specially crafted packets to a Windows server.
The security update addresses the vulnerability by correcting
how Schannel sanitizes specially crafted packets.
|
|
Severity Ratings and Affected Software
|
This security update is rated Critical for all supported
releases of Microsoft Windows.
|
|
Attack Vectors
|
An attacker could attempt to
exploit this vulnerability by sending specially crafted packets to a Windows
server.
|
|
Mitigating Factors
|
Microsoft has not identified
any mitigations for this vulnerability.
|
|
Restart Requirement
|
This update requires a restart.
|
|
Bulletins Replaced by This Update
|
MS10-085, MS12-049, and 2868725 in Microsoft Security
Advisory 2868725.
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-067
|
|
|
Bulletin Title
|
Vulnerability in XML Core Services Could Allow Remote Code
Execution (2993958)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft Windows. The vulnerability could allow remote code execution if
a logged-on user visits a specially crafted website that is designed to
invoke Microsoft XML Core Services (MSXML) through Internet Explorer.
The security update addresses the vulnerability by modifying the
way that Microsoft XML Core Services parses XML content.
|
|
Severity Ratings and Affected Software
|
This security update for Microsoft XML Core Services 3.0 is
rated Critical for affected releases of Microsoft Windows clients and
Important for affected releases of Microsoft Windows servers.
|
|
Attack Vectors
|
·
Attacker hosts a malicious website utilizing the vulnerability,
then convinces users to visit the site.
·
Attacker takes advantage of compromised websites and/or sites
hosting ads from other providers.
·
Non-Microsoft web applications and services that utilize the
MSXML library for parsing XML could also be vulnerable to this attack.
|
|
Mitigating Factors
|
·
Attacker would have to convince users to take action, typically
by getting them to click a link in an email message or in an instant message
that takes users to the attacker's website or by getting them to open an
attachment sent through email. There is no way for an attacker to force the
user to view malicious content.
·
Exploitation only gains the same user rights as the logged-on
account.
·
By default, all Microsoft email clients open HTML email messages
in the Restricted Sites zone.
·
By default, IE runs in Enhanced Security Configuration mode for
all Windows Servers.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
MS14-005 and MS14-033.
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-069
|
|
|
Bulletin Title
|
Vulnerabilities in Microsoft Office Could Allow Remote Code
Execution (3009710)
|
|
Executive Summary
|
This security update resolves three privately reported
vulnerabilities in Microsoft Office. The vulnerabilities could allow remote
code execution if a specially crafted file is opened in an affected edition
of Microsoft Office 2007. An attacker who successfully exploited this
vulnerability could gain the same user rights as the current user.
The security update addresses the vulnerabilities by correcting
the way that Microsoft Office parses specially crafted files.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for supported editions
of Microsoft Word 2007, Microsoft Word Viewer, and Microsoft Office
Compatibility Pack.
|
|
Attack Vectors
|
·
Exploitation of this vulnerability requires that a user open a
specially crafted file with an affected version of Microsoft Office software.
·
Web scenario:
o
Attacker hosts a malicious website utilizing the
vulnerability, then convinces users to visit the site.
o
Attacker takes advantage of compromised websites and/or
sites hosting ads from other providers.
·
Email scenario:
o Attacker
sends specially-crafted file and persuades user to open file.
|
|
Mitigating Factors
|
·
Attacker would have to convince users to take action, typically
by getting them to click a link in an email message or in an instant message
that takes users to the attacker's website, or by getting them to open an
attachment sent through email. There is no way for attacker to force user to
view malicious content.
·
Exploitation only gains the same user rights as the logged-on
account.
·
The vulnerability cannot be exploited automatically through
email. Instead, the user must open an email attachment.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
MS14-017 and MS14-061.
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-070
|
|
|
Bulletin Title
|
Vulnerability in TCP/IP Could Allow Elevation of Privilege
(2989935)
|
|
Executive Summary
|
This security update resolves a publically reported
vulnerability in TCP/IP that occurs during input/output control (IOCTL)
processing. This vulnerability could allow elevation of privilege if an
attacker logs on to a system and runs a specially crafted application. An
attacker who successfully exploited this vulnerability could run arbitrary
code in the context of another process. If this process runs with administrator
privileges, an attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights.
The security update addresses the vulnerability by correcting
how the Windows TCP/IP stack handles objects in memory during IOCTL
processing.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for all supported
editions of Windows Server 2003.
|
|
Attack Vectors
|
To exploit this vulnerability,
an attacker would first have to log on to the system. An attacker could then
run a specially crafted application that could exploit the vulnerability and
take complete control over the affected system.
|
|
Mitigating Factors
|
Microsoft has not identified
any mitigating factors for this vulnerability.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
MS09-048
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-071
|
|
|
Bulletin Title
|
Vulnerability in Windows Audio Service Could Allow Elevation
of Privilege (3005607)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft Windows. The vulnerability could allow elevation of privilege if
an application uses the Microsoft Windows Audio service.
The security update addresses the vulnerability by adding
additional permission validations to the Microsoft Windows Audio service
component.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for all supported
editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server
2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2,
Windows RT, and Windows RT 8.1.
|
|
Attack Vectors
|
·
Attacker hosts a malicious website utilizing the vulnerability,
then convinces users to visit the site.
·
Attacker takes advantage of compromised websites and/or sites
hosting ads from other providers.
|
|
Mitigating Factors
|
This vulnerability by itself
does not allow arbitrary code to be run. The vulnerability would have to be
used in conjunction with another vulnerability that allowed remote code
execution. For example, an attacker could exploit another vulnerability to run
arbitrary code through Internet Explorer, but due to the context in which
processes are launched by Internet Explorer, the code might be restricted to
run at a low integrity level (very limited permissions). However, an attacker
could, in turn, exploit this vulnerability to cause the arbitrary code to run
at a medium integrity level (permissions of the current user).
|
|
Restart Requirement
|
This update requires a restart.
|
|
Bulletins Replaced by This Update
|
None
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-072
|
|
|
Bulletin Title
|
Vulnerability in .NET Framework Could Allow Elevation of
Privilege (3005210)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft .NET Framework. The vulnerability could allow elevation of
privilege if an attacker sends specially crafted data to an affected
workstation or server that uses .NET Remoting.
The security update addresses the vulnerability by properly
enforcing security controls for application memory.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important
for Microsoft .NET Framework 1.1 Service Pack 1, .NET Framework 2.0 Service
Pack 2, .NET Framework 3.5, .NET Framework 3.5.1, .NET Framework 4,
.NET Framework 4.5, .NET Framework 4.5.1, and .NET Framework 4.5.2 on affected
releases of Microsoft Windows.
|
|
Attack Vectors
|
An attacker could send
specially crafted data to an affected workstation or server that uses .NET
Remoting, allowing the attacker to execute arbitrary code on the targeted
system.
|
|
Mitigating Factors
|
·
.NET Remoting is not widely used by applications; only custom
applications that have been specifically designed to use .NET Remoting would
expose a system to the vulnerability.
·
.NET Remoting endpoints are not accessible to anonymous clients by
default.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
MS14-026
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-073
|
|
|
Bulletin Title
|
Vulnerability in Microsoft SharePoint Foundation Could Allow
Elevation of Privilege (3000431)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft SharePoint Server. An authenticated attacker who successfully
exploited this vulnerability could run arbitrary script in the context of the
user on the current SharePoint site.
The security update addresses the vulnerability by correcting
how SharePoint Server sanitizes modified lists within the SharePoint mobile
browser view
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for supported editions of
Microsoft SharePoint Server 2010.
|
|
Attack Vectors
|
An attacker could modify
certain lists within SharePoint to exploit this vulnerability, and then
convince users to browse to the modified list.
|
|
Mitigating Factors
|
Attacker would have to
convince users to take action, typically by getting them to click a link in
an email message or in an instant message that takes users to the attacker's
website, or by getting them to open an attachment sent through email. There
is no way for attacker to force user to view malicious content.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
MS13-084
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-074
|
|
|
Bulletin Title
|
Vulnerability in Remote Desktop Protocol Could Allow Security
Feature Bypass (3003743)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft Windows. The vulnerability could allow security feature bypass
when Remote Desktop Protocol (RDP) fails to properly log audit events.
The security update addresses the vulnerability by correcting
the way RDP handles authentication and logging.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for all supported
editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server
2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows
Server 2012 R2, and Windows RT 8.1.
|
|
Attack Vectors
|
An attacker could use this
vulnerability to evade detection of multiple failed logon attempts.
|
|
Mitigating Factors
|
Microsoft has not identified
any mitigating factors for this vulnerability.
|
|
Restart Requirement
|
This update requires a restart.
|
|
Bulletins Replaced by This Update
|
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-076
|
|
|
Bulletin Title
|
Vulnerability in Internet Information Services (IIS) Could
Allow Security Feature Bypass (2982998)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft Internet Information Services (IIS) that could lead to a bypass
of the "IP and domain restrictions" security feature. Successful
exploitation of this vulnerability could result in clients from restricted or
blocked domains having access to restricted web resources.
The security update addresses the vulnerability by changing how
IIS handles requests when specific IP and domain restriction configurations
exist.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for all supported
editions of Microsoft Windows 8, Windows 8.1, Windows Server 2012, and
Windows Server 2012 R2 RTM.
|
|
Attack Vectors
|
To exploit this vulnerability,
an attacker would require in depth knowledge of the remote IIS server and
corresponding network topology. An attacker would also need to have control
of their reverse DNS information, or be able to poison the authoritative DNS
of the IIS server, in order to provide a domain name that is formatted in a
manner that causes the vulnerability.
|
|
Mitigating Factors
|
Microsoft has not identified
any mitigating factors for this vulnerability.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
None
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-077
|
|
|
Bulletin Title
|
Vulnerability in Active Directory Federation Services Could
Allow Information Disclosure (3003381)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Active Directory Federation Services (AD FS). The vulnerability could
allow information disclosure if a user leaves their browser open after
logging off from an application, and an attacker reopens the application in
the browser immediately after the user has logged off.
The security update addresses the vulnerability by ensuring that
the logoff process properly logs off the user.
|
|
Severity Ratings and Affected Software
|
This security update is rated Important for the following:
·
AD FS 2.0 when installed on 32-bit and x64-based editions of
Windows Server 2008
·
AD FS 2.0 when installed on x64-based editions of Windows Server
2008 R2
·
AD FS 2.1 when installed on x64-based editions of Windows Server
2012
·
AD FS 3.0 when installed on x64-based editions of Windows Server
2012 R2
|
|
Attack Vectors
|
An attacker who successfully
exploited this vulnerability could gain access to a user's information by
reopening an application from which the user logged off. Since logoff failed
an attacker would not be prompted to enter a username or password.
|
|
Mitigating Factors
|
Microsoft has not identified
any mitigating factors for this vulnerability.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
None
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-078
|
|
|
Bulletin Title
|
Vulnerability in IME (Japanese) Could Allow Elevation of
Privilege (2992719)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could
allow sandbox escape based on the application sandbox policy on a system
where an affected version of the Microsoft IME (Japanese) is installed. An
attacker who successfully exploited this vulnerability could escape the
sandbox of a vulnerable application and gain access to the affected system
with logged-in user rights. If the affected system is logged in with
administrative rights, an attacker could then install programs; view, change
or delete data; or create new accounts with full administrative rights.
The security update addresses the vulnerability by correcting
how the Microsoft IME (Japanese) component loads dictionary files that are
associated with the vulnerability.
|
|
Severity Ratings and Affected Software
|
This security update is rated Moderate on all supported editions
of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2; it is also rated Moderate for all supported editions
of Microsoft Office 2007 where Microsoft IME (Japanese) is installed.
|
|
Attack Vectors
|
In an attack scenario, an
attacker would have to convince the user to open a malicious file that would
invoke the vulnerable sandboxed application, resulting in a compromise of the
sandbox policy. The attacker could then run a program with privileges of the
logged on user.
|
|
Mitigating Factors
|
·
An attacker must have authenticated write access to the system
to exploit this vulnerability. An anonymous user could not exploit the
vulnerability.
·
Only implementations of Microsoft IME for Japanese are affected
by this vulnerability. Other versions of Microsoft IME are not affected.
|
|
Restart Requirement
|
This update may require a restart.
|
|
Bulletins Replaced by This Update
|
None
|
|
Full Details
|
|
|
Bulletin Identifier
|
Microsoft Security Bulletin MS14-079
|
|
|
Bulletin Title
|
Vulnerability in Kernel-Mode Driver Could Allow Denial of
Service (3002885)
|
|
Executive Summary
|
This security update resolves a privately reported vulnerability
in Microsoft Windows. The vulnerability could allow denial of service if an
attacker places a specially crafted TrueType font on a network share and a
user subsequently navigates there in Windows Explorer.
The security update addresses the vulnerability by ensuring that
the Windows kernel-mode driver properly validates array indexes when loading
TrueType font files.
|
|
Severity Ratings and Affected Software
|
This security update is rated Moderate for all supported
releases of Microsoft Windows.
|
|
Attack Vectors
|
·
An attacker could host a specially crafted TrueType font on a
network share and when the user navigates to the share in Windows Explorer,
the vulnerability is triggered, causing the system to stop responding.
·
Email scenario
o
Attacker sends a specially crafted file via email and convinces
user to open the file.
·
Web scenario
o
Attacker hosts a malicious website that contains a
specially-crafted file, then convinces users to visit the site.
o
Attacker takes advantage of compromised websites and/or sites
hosting ads from other providers.
|
|
Mitigating Factors
|
Attacker would have to
convince users to take action, typically by getting them to click a link in
an email message or in an instant message that takes users to the attacker's
website, or by getting them to open an attachment sent through email. There
is no way for attacker to force user to view malicious content.
|
|
Restart Requirement
|
This update requires a restart.
|
|
Bulletins Replaced by This Update
|
MS14-058
|
|
Full Details
|
|
Regarding
Information Consistency
We strive to provide you with accurate information in static (this
mail) and dynamic (web-based) content. Microsoft’s security content posted to
the web is occasionally updated to reflect late-breaking information. If this
results in an inconsistency between the information here and the information in
Microsoft’s web-based security content, the information in Microsoft’s
web-based security content is authoritative.
