Microsoft issued seven security bulletins in its December Patch Tuesday release and the company’s last of the year.
Microsoft issued seven security bulletins in its December Patch Tuesday release and the company’s last of the year.

Microsoft issued seven security bulletins in its final Patch Tuesday release for the year.

Three bulletins were deemed "critical," while four were rated "important." All in all, 24 vulnerabilities were addressed in Microsoft Exchange, Internet Explorer, Microsoft Office and Microsoft Windows, according to the tech giant's December bulletin summary.

One bulletin, MS14-080, resolved fourteen privately reported vulnerabilities in Internet Explorer, one of which could allow for remote code execution if a user “views a specially crafted webpage using Internet Explorer.” All versions of the browser are susceptible to attack.

For multiple experts, this bulletin appeared to be the most pressing.

Wolfgang Kandek, CTO at Qualys, noted that a security issue addressed with both the MS14-080 and MS14-084 patch could be exploited using a malicious webpage as the main attack vector.

“Think for example the hundreds of thousands of Drupal sites that recently became exploitable through a SQL injection vulnerability in a core component,” he said in a comment emailed to SCMagazine.com

The overlapping bug addressed in both patches, a VBScript memory corruption vulnerability designated as CVE-2014-6363, could present a particularly challenging patching configuration, said Ross Barrett, senior manager of security engineering at Rapid7, in an emailed comment to SCMagazine.com.

“Systems without IE will only be offered the MS14-084 patch,” he said. “Systems with IE 8 and older will be offered the MS14-080 AND the MS14-084 patch. Systems with IE 9 or later will not be offered the MS14-084 patch because the issue is addressed by the MS14-080 patch.”

Also included in this batch of patches is the delayed MS14-075 bulletin, which resolves four privately reported vulnerabilities in Microsoft Exchange Server that could allow for elevation of privilege.

“This patch addresses two Outlook Web Access Cross Site Scripting issues, a web application token spoofing issue, and an issue with Exchange URL redirection,” Barrett said. “Even though only tagged important, the presence of MS Exchange on the perimeter and the potential for this type of attack to be combined with stolen credentials and other malicious behavior will make it a patching priority.”

Overall, Microsoft issued 85 bulletins in 2014, compared to 106 issued in 2013. Of the patches issued in 2014, only 30 were rated critical.

“The overall number of all vulnerabilities in 2014 is at an all-time high of nearly 7,500,” said Russ Ernst in an emailed commentary to SCMagazine.com. “With the Microsoft vulnerability count this year only accounting for just over six percent, down from nearly 10 percent last year, attackers are continuing the trend to focus on third party applications and platforms other than Windows.”

[An earlier version of this article incorrectly stated that 25 CVEs were addressed. The correct number is 24.]