icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft delivers hefty batch of patches

Microsoft patched two zero-day vulnerabilities in the year's largest Patch Tuesday update, but it delayed an Exchange update.

Windows Server admins received the biggest batch of patches so far this year on Tuesday, including four critical patches.

There are 14 total security updates in the latest round of updates. In addition to the critical patches,  eight are marked as important and two are moderate.

All four critical updates address remote code execution vulnerabilities. One critical update addresses two vulnerabilities in Microsoft Windows Object and Linking Embedding in all supported versions of Windows. These vulnerabilities could be exploited if Internet Explorer (IE)  improperly accesses objects in memory and end users visit a malicious Web page using IE.

This is a high priority update for administrators, because attackers actively exploit these vulnerabilities, according to Amol Sarwate, director of engineering at Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.

Another critical update addresses 17 vulnerabilities in Internet Explorer (IE) versions 6 through 11, which could be exploited if end users visit malicious websites using the IE browser.

The other two critical updates address a vulnerability in the Microsoft Secure Channel (Schannel) and a vulnerability in the Microsoft XML Core Services.  Windows Server 2003 through Windows Server 2012 R2 are affected by these updates.

The Schannel vulnerability is a high priority because it allows would-be attackers to eavesdrop on the connection between the client and the server, Sarwate said.

"A lot of online banking and online retail uses TLS or SSL, and therefore this one is critical," Sarwate said.

The eight important bulletins address a mixture of vulnerabilities. One important update addresses three remote code execution vulnerabilities in Microsoft Office 2007, which could be exploited if end users open a malicious file.

"Organizations should rate [the Office patch] as critical" based on its larger install base, Sarwate said. However, Office 2010 and 2013 are not affected.

November’s security patches

Another important update addresses a security feature bypass vulnerability in Microsoft Internet Information Services in Windows 8 and Windows Server 2012 and higher.

One of the important updates addresses an information disclosure vulnerability in Active Directory Federation Services (ADFS), which could be exploited if users keep a browsing window open after they log off from an application. This update affects multiple versions of ADFS on Windows Server 2008 and higher.

Other important updates address elevation of privilege vulnerabilities in multiple .NET Framework versions and  in the TCP/IP processing found in supported versions of Windows Server 2003.  

The moderate updates address a denial of service vulnerability in kernel-mode drivers, which could be exploited with a malicious TrueType font that users navigate to using Windows Explorer, and an elevation of privilege vulnerability in the Japanese version of the Microsoft Input Method Editor. A detailed list of all 14 updates and affected software is available on Microsoft's Security TechCenter site.

There were originally 16 updates scheduled for this Patch Tuesday cycle, but only 14 were released. Two updates appear to have been pulled after last week's advance security notification bulletin. An Exchange quarterly update, along with its security fixes, was held back until December, the company said.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.