Patch Tuesday this month means 14 bulletins with new versions and patches for Microsoft software, operating systems and applications.
The most important bulletin MS14-064 addresses a current Zero Day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been leveraging the vulnerability to gain code execution by sending PowerPoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary FixIt patch. This is the final fix for OLE Packager that should address all known exploit vectors.
MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could end up used to gain control over the targeted machine. An attack will take the form of a malicious webpage the targeted user lands on.
There are two basic scenarios that attackers use frequently: One is the user browses to the site on their own, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.
A second scenario has the attacker setting up a new site and then directs traffic to it through Search Engine Manipulations, i.e. sites purporting to have the latest pictures on a recent event of general or specific interest.
MS14-069 addresses Microsoft Word 2007 and provides fixes for a Remote Code Execution (RCE) vulnerability. The attack scenario here is a malicious document the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that likely interest the targets in question. If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 are susceptible to the weakness.
Microsoft ranks highly the next bulletin, which addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which sees use in SSL and TLS connections. The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as researchers within Microsoft found it.
The remaining bulletins address a mix of different operating systems and platforms and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in IIS.