Results 1 to 2 of 2

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

  1. #1
    Senior Member JohnDoe2's Avatar
    Join Date
    Aug 2008
    Location
    PARADISE (San Diego)
    Posts
    96,987

    Microsoft Patches 33 Vulnerabilities in November Patch Tuesday Update

    Microsoft Patches 33 Vulnerabilities in November Patch Tuesday Update


    By Sean Michael Kerner | Posted 2014-11-11

    Microsoft finally patches leftover Sandworm flaws and addresses a new SSL encryption vulnerability.


    Microsoft is out today with it November Patch Tuesday update, providing 14 security updates that address 33 vulnerabilities. As part of the update, Microsoft is closing the last piece of an exploit that emerged after the October Patch Tuesday update.The October Patch Tuesday update fixed 24 Common Vulnerabilities and Exposures (CVEs), including CVE-2014-4114, the flaw known as Sandworm that was used in attacks against NATO and the European Union. On Oct. 21, Microsoft warned its users about CVE-2014-6352, which is another flaw in the Microsoft Object Linking and Embedding (OLE) technology that is at the root of the Sandworm vulnerability. Microsoft provided a "Fix-it" for CVE-2014-6352, though a full patch was not made available until today.The CVE-2014-6352 vulnerability is being patched inside of the MS14-064 advisory, which actually patches an additional OLE vulnerability identified as CVE-2014-6332."A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory," Microsoft's advisory on CVE-2014-6332 states. "When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers."

    Top 7 Benefits of an Enterprise-Class Hybrid Cloud for Government

    Download Now

    With the new OLE updates, the hope is that Sandworm-type exploitations will no longer be possible. Amol Sarwate, director of Vulnerability Labs at Qualys, explained to eWEEK that Sandworm exploited Windows OLE components and used CVE-2014-4114 initially."Today another vulnerability, CVE-2014-6352, was fixed in OLE," Sarwate said. "It's hard to say if more vulnerabilities may or may not be found in OLE, but usually when a vulnerability is found in a certain component, white hat security researchers as well as attackers start poking that component to check for existence of other flaws."

    Secure Channel
    Among the interesting flaws that Microsoft is patching this month is CVE-2014-6321, a remote code execution vulnerability in the Microsoft Secure Channel (Schannel) security technology. Schannel is a security package that enables SSL/TLS for Windows.Over the course of 2014, there have been a number of high-profile flaws in SSL, including the Heartbleed flaw in April and more recently the POODLE disclosure. Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK that the CVE-2014-6321 issue is somewhat different from Heartbleed or POODLE."With Heartbleed and POODLE we had either exploitation in the wild or at least a proof of concept," Barrett said. "In this case, neither has become public. The vulnerability is still only vaguely described."Barrett added that right now the impact from CVE-2014-6321 is low, but if exploit code leaks and this proves to be a serious issue, then the impact will increase. IEAs is typical in most Microsoft Patch Tuesday updates, the Internet Explorer (IE) Web browser is responsible for a largest number of reported CVEs. For November, the MS14-065 advisory for IE includes fixes for 17 CVEs. The vulnerabilities include multiple memory corruption and information disclosure flaws."The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory," Microsoft's advisory states.Karl Sigler, threat intelligence manager at Trustwave, told eWEEK that it certainly appears that there is a constant stream of vulnerabilities in IE. That said, it appears that a lot of these are being discovered through automatic fuzzing techniques, which can often result in multiple vulnerability discoveries, he said. Fuzzing is a security technique where invalid input is thrown into an application to see what will happen."It's a bit like shaking the tree to see what falls," Sigler said.

    "Hopefully, this method of vulnerability finding will exhaust these bugs and make IE a more secure product in the end, but really we'll all be waiting for next month to see for sure."

    NO AMNESTY

    Don't reward the criminal actions of millions of illegal aliens by giving them citizenship.


    Sign in and post comments here.

    Please support our fight against illegal immigration by joining ALIPAC's email alerts here https://eepurl.com/cktGTn

  2. #2
    Senior Member JohnDoe2's Avatar
    Join Date
    Aug 2008
    Location
    PARADISE (San Diego)
    Posts
    96,987
    MORE INFO

    Drop what you're doing and patch the Windows Schannel bug(s) now
    ZDNet - ‎14 minutes ago‎
    It didn't take me long yesterday to realize that the stand-out vulnerability disclosed by Microsoft was MS14-066 "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)". I know you know it's rated critical, but this one is different.


    Huge Patch Tuesday Update Tackles Critical Bugs

    TechWeekEurope UK (press release) - ‎42 minutes ago‎


    Microsoft's Patch Tuesday Update Squashes 19-Year-Old Windows Bug
    Maximum PC - ‎44 minutes ago‎


    It's DAY ZERO! EVIL 'UNICORN' vuln is in ALL Windows since 1995: PATCH IT
    Register - ‎1 hour ago‎


    Quiet Microsoft Bug Report Fixes Both Old and New Vulnerabilities
    Dumb-Out - ‎1 hour ago‎


    Microsoft Corporation Finally Fixes 19-Year-Old Bug
    ValueWalk - ‎1 hour ago‎


    November Patch Tuesday: A massive update with a few misses
    Computerworld - ‎1 hour ago‎

    This is a massive update for Microsoft Patch Tuesday with 16 patches released for November 2014. Generally, November is a quiet month, with an average five or six security updates over the past 10 years. We have seen a general increase in the number of ...

    Windows Server vNext Technical Preview: The first steps to software-defined ...
    ZDNet - ‎4 hours ago‎

    windows-server-vnext-thumb See also: Windows Server vNext screenshot gallery. The first technical preview of the next version of Windows Server — which Microsoft isn't giving a final name just yet — came out at the same time as the Windows 10 preview.

    Microsoft's silent, secret security updates
    ZDNet - ‎4 hours ago‎

    It's an odd and conspicuous feature of Microsoft's security bulletins that they never report vulnerabilities found internally at Microsoft. All of the credits go to outsiders. For example, yesterday's Patch Tuesday updates fixed 32 identified vulnerabilities, none of ...

    Microsoft Patches 33 Vulnerabilities in November Patch Tuesday Update
    eWeek - ‎20 hours ago‎

    Microsoft is out today with it November Patch Tuesday update, providing 14 security updates that address 33 vulnerabilities. As part of the update, Microsoft is closing the last piece of an exploit that emerged after the October Patch Tuesday update.

    Microsoft patches Windows, IE; holds back two updates
    ZDNet - ‎22 hours ago‎

    Microsoft today released 14 security updates to address 33 vulnerabilities in Windows, Internet Explorer and Office. Two updates scheduled for release today (MS14-068 and MS14-075) were withheld and their release date is yet to be determined.


    Microsoft fixes '19-year-old' bug with emergency patch
    BBC News - ‎2 hours ago‎

    IBM researchers discovered the flaw, which affects Windows and Office products, in May this year - but worked with Microsoft to fix the problem before going public. The bug had been present in every version of Windows since 95, IBM said. Attackers could ...

    Potentially catastrophic bug bites all versions of Windows. Patch now
    Ars Technica - ‎17 hours ago‎

    Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

    Microsoft posts critical patch for huge Windows vulnerability that affects all ...
    The Next Web - ‎15 hours ago‎

    Remember Heartbleed? You know, the exploit in SSL that was so bad it got its own brand? Microsoft may have an issue of similar scale on its hands with a critical patch issued via Windows Update today. The patch in question is MS14-066, or otherwise ...

    Windows Has a Huge Vulnerabilty, Get the Patch Now
    Gizmodo - ‎20 hours ago‎

    As scary as Heartbleed was this past spring, it looks like virtually every Microsoft Windows user is in for a little deja vu. Microsoft just released a critical patch for a huge server vulnerability—one that affects quite a few current versions of Windows out there.


    Microsoft fixes severe 19 year-old Windows bug found in everything since ...
    PCWorld - ‎1 hour ago‎

    With help from IBM, Microsoft has patched a critical Windows vulnerability that flew under the radar for nearly two decades. The bug has existed in every version of Windows since Windows 95, and would have allowed an attacker to run code remotely when ...
    NO AMNESTY

    Don't reward the criminal actions of millions of illegal aliens by giving them citizenship.


    Sign in and post comments here.

    Please support our fight against illegal immigration by joining ALIPAC's email alerts here https://eepurl.com/cktGTn

Similar Threads

  1. Microsoft releases 64 fixes on April's bumper Patch Tuesday
    By JohnDoe2 in forum Other Topics News and Issues
    Replies: 1
    Last Post: 04-12-2011, 07:32 PM
  2. Microsoft to Patch 49 Vulnerabilities Next Week (TODAY)
    By JohnDoe2 in forum Other Topics News and Issues
    Replies: 7
    Last Post: 10-13-2010, 01:58 PM
  3. Lou Dobbs Tonight Tuesday, November 20, 2007
    By jimpasz in forum illegal immigration News Stories & Reports
    Replies: 1
    Last Post: 11-20-2007, 05:31 PM
  4. Lou Dobbs Tonight Tuesday, November 6, 2007
    By jimpasz in forum illegal immigration News Stories & Reports
    Replies: 0
    Last Post: 11-06-2007, 06:40 PM
  5. Microsoft Windows Security Patch Now Ready
    By ALIPAC in forum General Discussion
    Replies: 2
    Last Post: 01-09-2006, 11:28 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •