Last week on Patch Tuesday, four critical vulnerabilities were disclosed and addressed by Microsoft in Security Bulletins MS14-064, MS14-065, MS14-066 and MS14-067.
Let’s follow up on two of the more severe of these:
MS14-064: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability
This bulletin refers to two vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS14-066: Microsoft Secure Channel (Schannel) Vulnerability
A critical vulnerability in all supported Microsoft Windows systems could allow a remote attacker to execute arbitrary code (download malware) via specially crafted network traffic. Schannel is a security package that provides SSL and TLS on Microsoft Windows platforms. In order to exploit the vulnerability, an attacker would need to control a malicious Web page with exploit code and have users visit it. According to Microsoft’s bulletin there are no known mitigations or workarounds, but the patch released last week addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. Johannes Ullrich of the SANS Institute recommends to patch as soon as possible: “My guess is that you probably have about a week, maybe less, to patch your systems before an exploit is released.”
Be sure to install the updates released last week by Microsoft on your Windows computer. Managed Windows machines and subscribers of MIT WAUS have received the patches already. You may be required to restart your computer after the installation.
Both vulnerabilities are explained in more detail in this news article.