Windows Server admins can expect a busy month of updates in this Patch Tuesday cycle, including a fix for multiple...
zero-day vulnerabilities -- with one attributed to cyber espionage.
The latest batch of Patch Tuesday security updates includes eight bulletins. Three updates are marked critical and five are important. All three critical bulletins address remote code execution vulnerabilities.
One critical fix addresses 14 reported vulnerabilities in all supported versions of Internet Explorer (IE). These vulnerabilities could be exploited if end users visit a malicious Webpage using the browser. One included a zero-day vulnerability where attackers can break through the sandbox capability of IE.
The five important updates address security bypass features, remote code execution and elevation of privilege vulnerabilities. But the most important update is likely MS14-060, which addresses the zero-day remote code execution "Sandworm" vulnerability.
The vulnerability, which iSIGHT Partners discovered, is allegedly part of a Russian cyber-espionage campaign with a number of targets, including NATO and the European Union. It could be exploited if end users open a Microsoft Office document with a malicious Object Linking and Embedding file.
"It's really a Windows vulnerability, not a PowerPoint vulnerability," said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.
The vulnerability affects all supported versions of Windows and Windows Server 2008 and higher.
The other two critical fixes address vulnerabilities in multiple versions of the .NET Framework and kernel-mode drivers on all supported versions of Windows, the latter of which is the third zero-day vulnerability.
The vulnerability exists within TrueType fonts, which could lead to remote code execution when a malicious file is downloaded.
"We tend to think of fonts as something simple, but they're really terribly complicated," Kandek said. "We underestimate the complexity."
The number of security updates included in this Patch Tuesday is a significant increase from the previous cycle. There were only four fixes in September's cycle, one of which was critical. This is the second month in a row with an important fix for ASP.NET.