This week Microsoft announced a vulnerability that they are comparing to the recent Heart Bleed attack. What they found was that this vulnerability allows hackers to steal private data and information from remote locations. This is the biggest threat to a website's security as they completely bypass the data center security protocols.
Microsoft discovered the problem before any known security breaches took place; however, they expect the potential development of an exploit soon. This increases the urgency to apply the necessary patch as soon as possible, which Microsoft released Tuesday morning.
This patch (update) shuts down the server your site is sitting on and takes roughly 30 minutes to install. Once the site is back up, the server will have continuous work performed for 3 days. We are highly suggesting a content freeze during this time. By a content freeze, we mean that there should not be any updates/edits made to your site.
We do our best to perform any type of update or maintenance during off-peak business hours. In rare circumstances where we feel the risk is too great, we will make necessary updates during business hours. Our primary concern is the security of our clients' sites.
Below you will find a list of all of the updates for the Microsoft Vulnerability patch.
MS14-064 attempts to resolve two privately reported and one publicly reported vulnerability in Microsoft's Object Linking and Embedding (OLE) technology that could result in a remote code execution scenario if a user visits a specially crafted web page. This update affects how OLE and Internet Explorer (IE) handle objects in memory and affects all supported versions of Microsoft Windows. This patch attempts to resolve two separate issues, one of which was reported at the end of October and was published as Microsoft Security Advisory 3010060. This is definitely a "patch now" update from Microsoft.
MS14065 continues Microsoft's internal memory management security program with another batch of updates to Microsoft Internet Explore (IE). This patch, rated as critical by Microsoft, addresses 17 privately reported security issues, the most ever of which could lead to a remote code execution scenario. In addition, this update attempts to fix a further 12 non-security related issues in IE which have been detailed in the Microsoft knowledge base article KB303057. As in past updates to IE, it looks like there has been a complete recompile and the patch manifest for this update includes a change to all Internet Explorer's distribution files.
MS14-066 is rated as critical and addresses a privately reported security vulnerability in Microsoft's Schannel security technology that could lead to a remote code execution scenario. Schannel is a security package included as part of the Microsoft Component Object Model (COM) used by Microsoft developers to ensure secure communications between a server and a client, particularly when anonymous clients need to connect to a server as in an on-line e-commerce solution.
MS14-067 The Microsoft security update MS14-067 is rated as critical by Microsoft for Windows desktop platforms and as important for affected server platforms. This vulnerability in Microsoft XML (MSXML) that if exploited through a user visiting a specially crafted website could result in a remote code execution security scenario. This Microsoft security patch updates two core MSXML DLL files (MSXML3.DLL and MSXML3R.DLL). These files were released initially with Windows 2000 and updated until 2005. Unless you are stuck using IE6 then it is highly unlikely that you are still using this particular version of MSXML. In fact, these particular DLL files experience real backward compatibility issues and date back to the "wild west" of the XML days. I would definitely check your application dependencies prior to deploying this update. Not that it will likely break newer or modern applications, but may cause an application compatibility issue with legacy applications. This is a patch now update, with a check for internally developed legacy applications before full deployment.
MS14-069 The Microsoft Office patch MS14-069 resolves three privately reported vulnerabilities that could lead to a remote code execution scenario that only affects Office 2007 Service Pack 3, the Word Viewer utility and the Microsoft Office Compatibility Pack Service Pack 3. At present, Microsoft does not believe that this Office related vulnerability has been exploited in the wild.
MS14-070 MS14-070 attempts to resolve a single publicly reported vulnerability in the TCP/IP networking component during device driver-level input and output process (IOCTL) that could lead to elevation of privilege issues. This update only affects Windows Server 2003 SP2 platforms. If you have migrated onto more modern Microsoft server platforms, you don't need to worry about this update.
MS14-071 has been rated as important for this Patch Tuesday and relates to a single privately reported issue that may lead to an elevation of privilege security issue in the Windows Audio Service. This update impacts all currently supported versions of Windows desktop and server platforms (32, 64-bit and RT versions).
MS14-072 The patch MS14-072 has been rated as important and attempts to resolves a single reported vulnerability in the Microsoft .NET framework that could lead to an elevation of privilege scenario. This update appears to affect all versions of the .NET framework including the slightly smaller redistributable .NET Framework Client Profile.
MS14-073 The patch MS14-073 attempts to address a single privately reported vulnerability in the SharePoint Server 2010 Foundation technology layer. This update only affects server platforms and could lead to an elevation of privilege scenario.
MS14-074 addresses a privately reported vulnerability in the Microsoft Remote Desktop Protocol (RDP) that could lead to a security bypass scenario where failed logon attempts are not correctly logged. This update is applicable for all currently supported Microsoft desktop and server platforms.
MS14-076 resolves a privately reported security issue with Microsoft Internet Information Server (IIS) that could lead to a security bypass scenario in the "IP and Domain Restrictions" feature.
MS14-077 is rated as important and relates to a privately reported vulnerability in Microsoft Active Directory Federation Services which if un-patched could lead to a information disclosure scenario if the logged in user leaves their browser window open after logging off from an application. This update only affects Microsoft Server 2008 and 2012.
MS14-078 The update MS14-078 addresses is rated as moderate by Microsoft and relates to an elevation of privilege security issues with the Microsoft Japanese Input Method Editor (IME). The IME has always been a problem for Microsoft, especially with the Japanese, Chinese and Korean markets. Microsoft Input Method Editor lets you convert a relatively simple QWERTY keyboard with 26 letter alphanumeric alphabet and then generate some of the 5000+ Katagana, Hiragana and Chinese Kanji characters. Given the relatively small attack vector for this vulnerability, and the fact that the most likely people to experience difficult trouble-shooting scenarios with this update will have "timezone issues" (Japan is UTC+9:00) I would do some testing prior to deployment of this unusual update.
MS14-079 The Microsoft update MS14-079 addresses a TrueType font index-array validation issue in a kernel-mode driver that could lead to a denial of service security exploit. This update replaces a number of previous updates (MS14-058) that have been linked to a number of installation problems and third party software compatibility issues. Given the lower priority for this November Patch Tuesday update, I might wait a little while before full-scale deployment.
Adobe Microsoft has released a security advisory for Adobe Flash Player in IE for all supported versions of Windows 8 and Server 2012 (32/64-bit, RT and Server R2). This update relates to Adobe's security update APSB14-24 that resolves 18 publicly reported issues that could result in the attacker taking control of the affected system. This Adobe advisory affects all platforms that support Adobe plug-ins (Windows, Mac, Linux).
Apple This month we also see Apple release a security update for QuickTime version 7.7.6. This update handles an encoding issue with specially crafted movies that may lead lead to "arbitrary code execution" scenarios. You can find the update here.