Advance Notification for the month of December 2014 Patch Tuesday Updates, and finally today released a total of seven security bulletins, which will address several vulnerabilities in its products, out of which three are marked 'critical' and rest are 'important' in severity.
Last month after a big pile of security patches, the company released an an unusual emergency patch to fix a critical vulnerability in Microsoft Windows Kerberos KBC, authentication system used by default in the operating system, that cybercriminals exploited to compromise whole networks of computers.
The three critical bulletins affect Internet Explorer, Office and Windows. All the versions of Microsoft Internet Explorer (IE) are affected except Server Core, which does not include IE. The critical zero-day IE vulnerability (CVE-2014-8967) was discovered by security researcher Arthur Gerkis of Zero Day Initiative (ZDI) in June this year.
By exploiting the vulnerability, a remote attacker could execute arbitrary code on vulnerable installations of Microsoft Internet Explorer in order to compromise a vulnerable system. However, to exploit this flaw, user interaction is needed and to do so the target user must visit a malicious page or open a malicious file.
"The vulnerability relates to how Internet Explorer uses reference counting to manage the lifetimes of the in-memory objects representing HTML elements," reads the ZDI post. "By applying a CSS style of display:run-in to a page and performing particular manipulations, an attacker can cause an object's reference count to fall to zero prematurely, causing the object to be freed. Internet Explorer will then continue using this object after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process."
ZDI warned Microsoft several days ago about the pending public disclosure of the flaw after it completed 180 days as on November 2014. All the versions of IE are rated critical on Windows desktop systems and moderate on Windows servers. Windows RT versions are also affected and the vulnerability is rated critical on it.
A second critical patch update affects only Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008, which is rated critical for the desktop versions and moderate for the servers. Another critical remote code execution update is expected in Microsoft Office, starting with Microsoft Word 2007 SP 3, as well as Microsoft Office 2010 SP 2, Word 2010 SP 2, Word 2013 and Word 2013 RT.
Moreover, two more security bulletins patch remote code execution vulnerabilities in Microsoft Office Web apps 2010 and 2013, but those vulnerabilities are rated important, which means that there is some mitigating factors for attackers to exploit the flaw.
An elevation of privilege bug in Microsoft Exchange is listed among other security bulletins and is rated important. The software affected are Microsoft Exchange 2007, 2010 and 2013. The final security update fixes an Information Disclosure vulnerability in all versions of Windows, including Server Core.
If you have Automatic Updates enabled on your machine, these fixes will all be made available via Windows Update and will be applied automatically for most users. But in case users have not enabled it, Microsoft is encouraging them to apply the updates promptly. Some patches applied may require restarting the servers as well.