Patch Tuesday brings security updates for IE, Office, SharePoint

In this month's Patch Tuesday Microsoft addresses critical remote code execution vulnerabilities in Office, SharePoint and an IE security issue.

Windows Server admins will have their hands full with a number of security updates in this month's Patch Tuesday to address vulnerabilities in Office, SharePoint and Internet Explorer.

Microsoft released eight updates in the latest cycle -- two that are critical and six that are important.

Both critical updates address remote code execution vulnerabilities. One update fixes vulnerabilities in Internet Explorer (IE), which could be exploited if end users visit a malicious webpage in IE. The vulnerabilities affect all versions of IE on multiple versions of Windows Server.

This is a unique security update because Microsoft stopped its normal processes to address a vulnerability used to attack IE in the wild, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif. Google discovered the vulnerability, he added.

The other critical update addresses vulnerabilities in Office and SharePoint. The most dangerous vulnerability could be exploited if end users view a malicious page in a SharePoint server.

The important security updates cover a number of vulnerabilities. One update addresses elevation of privilege vulnerabilities in Active Directory Group Policy preferences, and another update addresses remote code execution vulnerabilities in multiple versions of Office.

The Group Policy preferences patch is an unusual one, said Amol Sarwate, director of vulnerability labs at Qualys.

"I don't think we've seen something like this in the recent past," he said.

Attackers who've already compromised a domain can leverage this access to create Group Policy preferences and potentially discover usernames and passwords stored in them, Sarwate said. Microsoft removed this feature so end users can't use it to save their usernames and passwords going forward, he added.

The Office vulnerabilities can be exploited if end users click on a link and give attackers the ability to use SkyDrive. The patch ensures that the Chinese Grammar Checker in Office verifies file paths before they load to external libraries and that Office knows how to handle special responses from websites.

It's difficult to know how attackable the vulnerability is because no one knows exactly how many end users use the Chinese Grammar Checker, Sarwate said. But this vulnerability brings up an interesting point in how new technologies bring their own risks to end users, Kandek said.

There are plenty of productivity gains to be made when sharing files this way, but there's the potential for abuse, he said.  

Other important security updates address elevation of privilege vulnerabilities, denial of service vulnerabilities and a security bypass feature vulnerability. The complete list of bulletins can be found on Microsoft Technet.

Windows XP risks

In addition, Microsoft released an out-of-band security update earlier this month to address a critical remote code execution vulnerability in IE. The vulnerability appeared in attacks on IE versions 9 through 11, but other IE versions on Windows XP machines were vulnerable to future attacks if the patch wasn't applied. Admins were surprised by Microsoft's decision to include XP in the update.

This is the first Patch Tuesday following end-of-life for Windows XP and Office 2003. The majority of organizations don't get patches for XP anymore because doing so requires a special program through Microsoft which costs money, Kandek said.

Citing Qualys statistics, 8% of enterprise customers still run XP, which is down from 10% in April and 12% month in March, he said.

"People seem to be set to get rid of XP in the next few months," he said. "There's a risk if you use XP right now. Attackers could come up with exploits and you will not be able to patch against them."

Microsoft has also released fewer Patch Tuesday updates this year in comparison to last year. This month's bulletins bring the 2014 total up to 29, a significant difference from 46 bulletins at the same point in 2013.

Dig Deeper on Windows Server troubleshooting

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Critically important set of patches aimed to fix flaws in all versions of the Internet Explorer browser that can result in remote code execution on victims' machines can result in attackers gaining the ability to execute code on host computers.