Microsoft Security Bulletin: December 2014 Release!
Welcome to yet another month of updates! It’s pretty busy with quite a few updates this time around to keep you cracking up until the holiday break. As things tend to wind down over the holiday break it’s a good time to make sure your servers and devices are up to date. Please see the table below for details on this month’s bulletin.
| Bulletin ID | Bulletin Title and Executive Summary | Maximum Severity Rating and Vulnerability Impact | Restart Requirement | Affected Software |
Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL. |
Important Elevation of Privilege |
May Require Restart | Microsoft Exchange | |
Cumulative Security Update for Internet Explorer (3008923) This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. |
Critical Remote Code Execution |
Requires Restart | Microsoft Windows, Internet Explorer |
|
Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) This security update resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Critical Remote Code Execution |
May Require Restart | Microsoft Office | |
Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. |
Important Remote Code Execution |
May Require Restart | Microsoft Office | |
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) This security update resolves two privately reported vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Important Remote Code Execution |
May Require Restart | Microsoft Office | |
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
Critical Remote Code Execution |
May Require Restart | Microsoft Windows | |
Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system. The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR). |
Important Information Disclosure |
May Require Restart | Microsoft Windows |
More details of this bulletin can be found at the Security Bulletin site so make sure you check that out if you need more.
Happy updating everyone!
Jeffa