Microsoft has released 14 security bulletins in its Patch Tuesday update, remediating 33 vulnerabilities in its software.
Among the patches, four are rated “critical,” eight “important,” and two “moderate." The updates resolve flaws in Windows, Internet Explorer, Office, .NET Framework and SharePoint Server.
The top priority bulletin this month, MS14-064, resolves two vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE) – one being the problematic bug, CVE-2014-6352, that was exploited by a Russian cyberespionage, dubbed Sandworm Team.
In Microsoft's October Patch Tuesday release, the bug (then assigned the number CVE-2014-4114) received a fix, but a week later researchers began warning users that the zero-day flaw could still be bypassed by attackers. Microsoft responded to the findings, dispatching a temporary solution called the “OLE packager Shim Workaround,” but it was not until November's release that the vulnerability received another patch.
Security firm Symantec explained at the time, that the original Sandworm vulnerability involved embedded OLE files linking to external files, while exploitation bypassing the resulting patch targeted OLE files that have the “executable payloads embedded within them.”
The three remaining critical bulletins released Tuesday bring a cumulative security update for IE (MS14-065), plug a remote code execution (RCE) vulnerability in the Microsoft Secure Channel (Schannel) security package (MS14-066), and resolve a bug in Microsoft XML Core Services (MSXML) that could also allow RCE. The eight patches deemed “important” address Windows, .NET Framework and SharePoint Server vulnerabilities allowing elevation of privilege, Office flaws allowing RCE and security issues in Windows that could lead to security feature bypass and information disclosure.
Microsoft's two “moderate” patches closed a hole in its Japanese version Input Method Editor (IME) that could allow elevation of privilege, as well as vulnerability in its Windows kernel mode driver allowing denial of service.
Of note, Microsoft announced last week in an advance notification that it planned to release 16 bulletins on Patch Tuesday. The two missing bulletins, MS14-068 and MS14-075, were listed in the tech giant's security bulletin summary this month, but with notations saying “release date to be determined.”
Tyler Reguly, manager of security research at Tripwire, said in prepared email commentary to SCMagazine.com that Microsoft, “to the best of [his] knowledge, introduced a new first this month,” with the move.
“It is not uncommon for a bad patch to be pulled during the QA process," Reguly said. "It is, however, odd for the numbering to remain untouched. This means that we'll likely see both of these bulletins released next month and they will be out of order from the other bulletins."