Microsoft is out today with it November Patch Tuesday update, providing 14 security updates that address 33 vulnerabilities. As part of the update, Microsoft is closing the last piece of an exploit that emerged after the October Patch Tuesday update.
The October Patch Tuesday update fixed 24 Common Vulnerabilities and Exposures (CVEs), including CVE-2014-4114, the flaw known as Sandworm that was used in attacks against NATO and the European Union. On Oct. 21, Microsoft warned its users about CVE-2014-6352, which is another flaw in the Microsoft Object Linking and Embedding (OLE) technology that is at the root of the Sandworm vulnerability. Microsoft provided a “Fix-it” for CVE-2014-6352, though a full patch was not made available until today.
The CVE-2014-6352 vulnerability is being patched inside of the MS14-064 advisory, which actually patches an additional OLE vulnerability identified as CVE-2014-6332.
“A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory,” Microsoft’s advisory on CVE-2014-6332 states. “When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.”
With the new OLE updates, the hope is that Sandworm-type exploitations will no longer be possible. Amol Sarwate, director of Vulnerability Labs at Qualys, explained to eWEEK that Sandworm exploited Windows OLE components and used CVE-2014-4114 initially.
“Today another vulnerability, CVE-2014-6352, was fixed in OLE,” Sarwate said. “It’s hard to say if more vulnerabilities may or may not be found in OLE, but usually when a vulnerability is found in a certain component, white hat security researchers as well as attackers start poking that component to check for existence of other flaws.”
Secure Channel
Among the interesting flaws that Microsoft is patching this month is CVE-2014-6321, a remote code execution vulnerability in the Microsoft Secure Channel (Schannel) security technology. Schannel is a security package that enables SSL/TLS for Windows.
Over the course of 2014, there have been a number of high-profile flaws in SSL, including the Heartbleed flaw in April and more recently the POODLE disclosure. Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK that the CVE-2014-6321 issue is somewhat different from Heartbleed or POODLE.
“With Heartbleed and POODLE we had either exploitation in the wild or at least a proof of concept,” Barrett said. “In this case, neither has become public. The vulnerability is still only vaguely described.”
Barrett added that right now the impact from CVE-2014-6321 is low, but if exploit code leaks and this proves to be a serious issue, then the impact will increase.
IE
As is typical in most Microsoft Patch Tuesday updates, the Internet Explorer (IE) Web browser is responsible for a largest number of reported CVEs. For November, the MS14-065 advisory for IE includes fixes for 17 CVEs. The vulnerabilities include multiple memory corruption and information disclosure flaws.
“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory,” Microsoft’s advisory states.
Karl Sigler, threat intelligence manager at Trustwave, told eWEEK that it certainly appears that there is a constant stream of vulnerabilities in IE. That said, it appears that a lot of these are being discovered through automatic fuzzing techniques, which can often result in multiple vulnerability discoveries, he said. Fuzzing is a security technique where invalid input is thrown into an application to see what will happen.
“It’s a bit like shaking the tree to see what falls,” Sigler said. “Hopefully, this method of vulnerability finding will exhaust these bugs and make IE a more secure product in the end, but really we’ll all be waiting for next month to see for sure.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.