Patch Tuesday wrap-up, December 2014 – why “Important” can be Critical…

Adobe and Microsoft put forth their respective Patch Tuesday updates this week, bringing you their last scheduled patches of 2014.

Adobe

In November 2014, Adobe limited itself to a single product update, patching only Flash Player.

In December 2014, however, there are fixes for Reader (and Acrobat), Flash and Cold Fusion.

Cold Fusion (APSB14-29) gets what you might call a baby patch, described as a Hotfix rather than a full-on Security Update.

The bug could apparently be abused to eat up memory and thus cause a denial of service. (That’s where a crook tricks your computer into wasting time on purposeless work while useful tasks are held up.)

Flash

Flash Player for Windows, Mac and Linux (APSB14-27) gets a full-sized Security Update that fixes six CVE-numbered vulnerabilities, at least some of which could let an attacker take over your computer with remotely-supplied code.

In short, that means that just looking at a website containing a poisoned Flash file could implant malware on your computer.

Adobe admits that it is:

aware of reports that an exploit for CVE-2014-9163 exists in the wild, and recommends users update their product installations to the latest versions.

That isn’t the clearest prose in the world, but it seems fair to heed the warning and assume that a publicly-available exploit is available for CVE-2014-9163 (about which, sadly, no details are supplied).

Reader

Reader and Acrobat (APSB14-28) on Windows and Mac get a similar slew of fixes, with an impressive 20 CVEs patched.

Again, these “could potentially allow an attacker to take over the affected system,” to use Adobe’s words.

There is no mention of public disclosure or in-the-wild attacks, so it sounds as though the prompt application of the Reader patches will help to keep you ahead of the crooks, rather than merely catching up.

Microsoft

Microsoft pumped out seven bulletins for December 2014, including one for Exchange Server that was supposed to appear last month, but was held back at the last minute for the sake of safety.

In years gone by, when a Microsoft patch slipped, its bulletin number (the year/sequence identifier of the form MSyy-sss) was withdrawn.

Any bulletins lower down in the list had their numbers shifted up to close the hole.

Between November 2014 and December 2014, however, that process wasn’t followed, so the Exchange Server update keeps the MS14-075 number it was allocated last month, with the new bulletins starting from MS14-080.

That numbering change may seem like a triviality, but this is apparently an official and permanent shift in Microsoft’s standard numbering practice, so it’s worth knowing: bulletin numbers no longer necessarily tell you when, or in what order, they came out.

→ We aren’t complaining. We think the new system is more logical, because it avoids the confusion of reassigning bulletin numbers after they have been announced.

Exchange Server

The MS14-075 fix patches a number of vulnerabilities in Exchange Server that were discovered privately.

One of these holes allows security tokens to be stolen and used to send emails in someone else’s name.

Even though the stolen session token wouldn’t allow an attacker to get into your personal data, so he couldn’t read your profile or look at your email, you can probably imagine how handy it would be for a social engineer to be able to send malicious emails as if they came from you.

So, this patch may only be listed as Important – Elevation of Privilege, but don’t let that convince you to leave it until last.

Microsoft Graphics Component

The last-numbered patch on Microsoft’s December 2014 list, MS14-085, also sounds comparatively unimportant, rating just Important – Information Disclosure.

But the bug is a publicly-disclosed vulnerability in the way the Windows kernel handles JPEG files.

It could be triggered by an image in a poisoned web page, and it could reveal memory addresses that would allow an attacker to bypass Address Space Layout Randomisation (ASLR).

ASLR is what prevents attackers from guessing where to find important system components in memory.

In theory, this means that even if they find a way to crash applications such as your browser or your Flash Player, they’re stumped for where to send that crashing program next in order to do anything purposefully dangerous.

Of course, a publicly-disclosed ASLR bypass trick is a prime candidate for crooks to combine with other vulnerabilities, including the remaining five for this month, as a part of weaponising them to turn them into working attacks.

Remote Code Execution

The remaining patches close potential remote code execution (RCE) bugs in Internet Explorer, VisualBasic Script (VBS) and various parts of Office.

We shan’t go into detail about the different RCEs; it’s enough to know that:

  • RCE holes in a browser usually mean “click-to-own”, where merely viewing a poisoned web page leads directly to a malware infection.
  • RCE holes in Office usually mean “open-and-own”, where merely looking at a booby-trapped document runs malware without so much as an “Are you sure?”

Incidentally, and perhaps surprisingly, two of the Office-related RCEs (MS14-082 and MS14-083) only rate Important.

But the remaining Office vulnerability makes it to Critical.

That’s because it affects both Word and Office Web Apps, making it an open-and-own and a click-to-own risk.

The bottom line

And there you have it.

Even the Importants are critical, so we recommend updating promptly and checking that your updates actually worked.

For more information


(Audio player not working? Download to listen offline, or listen on Soundcloud.)