Microsoft Holds Back Security Bulletins

In its November 2014 software update, Microsoft has published a large number of security bulletins, but two less than indicated in the advanced notice.

However, the security update is nearly double its usual size and is bound to keep business IT administrators busy with 14 bulletins addressing nearly 40 vulnerabilities.

The release of S14-068 and MS14-075 was delayed, yet Microsoft gave no new release date - and said it was still to be decided.

Tyler Reguly, manager of security research at Tripwire said it was not uncommon for a bad patch to be pulled during the quality assurance process.

He said: "It is, however, odd for the numbering to remain untouched. This means we'll likely see both of these bulletins released in December 2014 and they will be out of order from the other bulletins."

Chief technology officer, Wolfgang Kandek, at security firm Qualys said: "It is a privately disclosed vulnerability so this should not have a major effect on a company's security situation, but we know we will get at least one critical Windows patch in December."

Kandek believes the most important is MS14-064, which addresses a current zero day vulnerability known as CVE-2014-6352 found in the Windows object linking and embedding packager for Vista and newer versions of the Windows operating system.

Kanded added: "Attackers have been abusing the vulnerability to gain code execution by sending PowerPoint files to their targets."

Microsoft previously acknowledged the vulnerability in security advisory KB3010060 and offered a workaround using the Enhanced Mitigation Experience Toolkit (EMET) and a temporary patch in the form of a fix-it solution.

Kandek said: "This is the final fix for the OLE packager that should address all known exploit vectors and is highly recommended as the top patch."

MS14-066 is a new version of Internet Explorer and addresses 17 vulnerabilities. The most severe of these vulnerabilities could be used to gain control over a targeted machine.

print this article

Return to internet news headlines
View Internet News Archive

Share with: