Share via


Microsoft Security Bulletin: December 2014 Release!

3823_7103_securitybulletin_thumb_32407BF9_thumb_12CC8186

Welcome to yet another month of updates! It’s pretty busy with quite a few updates this time around to keep you cracking up until the holiday break. As things tend to wind down over the holiday break it’s a good time to make sure your servers and devices are up to date. Please see the table below for details on this month’s bulletin.

Bulletin ID Bulletin Title and Executive Summary Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software

MS14-075

Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

Important Elevation of Privilege

May Require Restart Microsoft Exchange

MS14-080

Cumulative Security Update for Internet Explorer (3008923) This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical Remote Code Execution

Requires Restart

Microsoft Windows, Internet Explorer

MS14-081

Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) This security update resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Critical Remote Code Execution

May Require Restart Microsoft Office

MS14-082

Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Important Remote Code Execution

May Require Restart Microsoft Office

MS14-083

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) This security update resolves two privately reported vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Important Remote Code Execution

May Require Restart Microsoft Office

MS14-084

Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Critical Remote Code Execution

May Require Restart Microsoft Windows

MS14-085

Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system. The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR).

Important Information Disclosure

May Require Restart Microsoft Windows

More details of this bulletin can be found at the Security Bulletin site so make sure you check that out if you need more.

Happy updating everyone!

Jeffa

Technorati Tags: Updates,Patching