Microsoft came out with its December Patch Tuesday update, marking the final set of regularly scheduled security updates for 2014. In total, Microsoft is fixing 24 unique Common Vulnerabilities and Exposures (CVEs) this month, across seven security advisories.
Of those seven security advisories, Microsoft rated only three as critical. One of the critical advisories is MS14-080, which patches 14 CVEs in Microsoft’s Internet Explorer (IE) Web browser. The December CVE count in IE is actually a decline from the 17 CVEs patched in November’s Patch Tuesday update.
The decline in the number of IE vulnerabilities patched by Microsoft, is seen by Qualys CTO Wolfgang Kandek as a good indication that positive movement is possible when it comes to securing IE.
“The rise of the IE vulnerabilities throughout the year indicated to Microsoft that there was a systemic weakness in IE,” Kandek told eWEEK.
Kandek added that it was clear that if attackers and security researchers could find IE vulnerabilities in an automated fashion, something had to be done.
Something in fact has been done.
Microsoft has changed the memory allocation algorithm in IE, Kandek said, adding that the memory change in effect throws a curveball to the exploits that look for expected behavior.
“We need more of that thinking: Be aware that attackers exist, how they work and how can I make the life of the attacker harder,” Kandek said.
The MS14-084 also has an impact on IE.
“A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory,” Microsoft warned in its advisory. “In a Web-based attack scenario, an attacker could host a specially crafted Website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Website.”
The third critical advisory is MS14-081, which details remote code execution vulnerabilities in Word and Microsoft Office Web Apps.
There is some similarity between the Microsoft Office fixes this month and issues found in IE over the course of 2014, said Karl Sigler, threat intelligence manager at Trustwave. “Almost all of the vulnerabilities are memory corruption vulnerabilities similar to those found in Internet Explorer over the past months,” Sigler told eWEEK. “There could absolutely be more of these to come next year.”
Also of note this month is the MS14-075 advisory, which details four CVEs in Microsoft’s Exchange Server. MS14-075 had originally been scheduled to be included in Microsoft’s November Patch Tuesday update but was delayed.
“Since there are no known exploits for these vulnerabilities being used in the wild, it was probably a good decision to hold the bulletin until this month when Microsoft could be sure that it covered the vulnerabilities completely,” Sigler said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.