icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Last Patch Tuesday of 2014 brings fixes for IE, Office

Microsoft's last set of security fixes for the year brought critical fixes for Microsoft Office, VBScript and Internet Explorer.

Microsoft may appear to end 2014 on a light note, but the security updates in this month's Patch Tuesday cycle still pack  quite a punch.

After November's monstrous batch of security updates, Windows Server admins will have seven security updates to implement in December. Three updates are marked as critical and four as important.

All three critical updates address remote code execution vulnerabilities. One of these updates addresses 14 reported vulnerabilities in multiple versions of Internet Explorer (IE), which could be exploited if end users visit a malicious web page through IE.

The other critical updates address vulnerabilities in multiple versions of Microsoft Word and Microsoft Office Web Apps as well as the VBScript scripting engine. Two vulnerabilities in Word and Office Web Apps could be exploited if attackers convince end users to open a malicious file using affected versions of these programs.

Office received another important security fix for a remote code execution vulnerability, which could also be exploited in the same way as the Office critical update.

While it's unclear why there is distinction between the two bulletins, the criticality of them could rest on how exploitable the vulnerability is.

"In the past this distinction of having to open a file is a defensive mechanism," said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif. "That's what you do with Word, you open a file. Those Office vulnerabilities are pretty serious." The vulnerability in VBScript, which affects multiple versions of Windows, could be exploited if end users visit a malicious website.

December's four important updates

The four important updates in this Patch Tuesday cycle address remote code execution, information disclosure and elevation of privilege vulnerabilities.

The information disclosure vulnerability  affects a Microsoft graphics component in multiple versions of Windows. The vulnerability could be exploited if end users go to websites with malicious JPEG content.

The final important update addresses four elevation of privilege vulnerabilities affecting multiple versions of Exchange, which could be exploited if end users click on malicious URLs taking them to target Outlook Web App sites.

The complete list of updates and affected software can be found in Microsoft's security bulletin summary.

Reflecting on Microsoft's 2014 security record

November's Patch Tuesday was the largest of the year with a total of 14 security updates, but two updates meant for a Patch Tuesday release were pulled at the eleventh hour. One of those updates, MS14-068, critically affected multiple versions of Windows and was rolled out the week after Patch Tuesday. The other pulled update, MS14-075, was rolled out in this month's Patch Tuesday cycle.

Kandek noted a marked decrease in the number of bulletins Microsoft issued in the last year, but an increase in zero days from attackers.

"From our side we've had more work this year than in past years, [with] more to do and [having to be] quicker to react," said Kandek.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.