December 2014 Patch Tuesday Releases 7 Fixes, Addresses Microsoft Exchange Bug

This year’s last installment of Patch Tuesday security advisories by Microsoft includes MS14-075, a bug in Microsoft Exchange Server, which had been delayed last November. It was rated important due to an elevation in privilege across several versions of Exchange, from 2007 (SP3), 2010 (SP3), and 2013 (Cumulative Update 6). Last month, Microsoft originally listed the patch date for MS14-075 as “Release date to be determined”.

Microsoft Rates 3 Bulletins as ‘Critical’, 4 as ‘Important’

A total of three critical bulletings were listed, which were MS14-080, MS14-081, and MS14-084. MS14-080 resolved vulnerabilities in Internet Explorer, while MS14-081 patched previously reported bugs in Microsoft Word and Microsoft Office Web Apps. MS14-084 bulletin fixed a remote code execution vulnerability in the VBScript scripting engine in Microsoft Windows.

As previously discussed, MS14-075 was given an ‘Important’ rating due to an elevation of privileges across various versions of Microsoft Exchange Server. MS14-082 and MS14-083 both addressed remote code execution flaws in Microsoft Office programs, while MS14-085 fixes a bug that “could allow information disclosure if a user browses to a website containing specially crafted JPEG content.”

It is highly recommended for users and system administrators to immediately patch these system vulnerabilities. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

1000552 – Generic Cross Site Scripting(XSS) Prevention
1000552 – Generic Cross Site Scripting(XSS) Prevention
1006346 – Identified Unvalidated Redirect And Forward Over HTTP
1006373 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
1006376 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
1006378 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
1006383 – Microsoft Internet Explorer VBScript Memory Corruption Vulnerability (CVE-2014-6363)
1006374 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6366)
1006396 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
1006379 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
1006387 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
1006371 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
1006381 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
1006393 – Microsoft Word Index Remote Code Execution Vulnerability (CVE-2014-6356)
1006370 – Microsoft Word Use After Free Remote Code Execution Vulnerability (CVE-2014-6357)
1006394 – Microsoft Office Component Use After Free Vulnerability (CVE-2014-6364)
1006385 – Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
1006382 – Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6361)
1006383 – Microsoft Internet Explorer VBScript Memory Corruption Vulnerability (CVE-2014-6363)
1006380 – Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)

More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: December 2014 – Microsoft Releases 7 Security Advisories.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

December 2014 Patch Tuesday Releases 7 Fixes, Addresses Microsoft Exchange Bug