November 2014 Security Updates

Microsoft has released several important security updates recently, and there’s been some confusion over the impact of these vulnerabilities and the systems that they affect. One has been a vulnerability in the Schannel security provider that could allow remote code execution. Another update addressed a problem with their Kerberos implementation that could allow for privilege escalation. And finally, there was a fix that addressed a long-standing flaw in array handling within OLE Automation that could allow remote code execution.

MS14-066
Vulnerability in Schannel Could Allow Remote Code Execution

This vulnerability impacts any application that uses the CryptoAPI and Schannel provider for secure connections using SSL or TLS, and it particularly affects servers. By sending a specially crafted message to a server that accepts secure connections, an attacker can execute code remotely. This vulnerability can affect servers created using SocketTools that enable secure connections, and we recommend that developers and end-users update their systems as soon as possible.

There have been some problems reported with this update that include dropped connections that use TLS 1.2 and performance issues when connecting to a SQL Server system that has had the update installed. Make sure that you have current backups, and be prepared to rollback update KB2992611 if necessary.

Because this vulnerability impacts Windows Server 2003, it is also likely that it affects Windows XP as well, however Microsoft has not issued a patch for that platform. If you are still using Windows XP, particularly if you’re running server applications that accept secure connections, we recommend that you migrate to a supported platform and take immediate steps to ensure that it is not publically accessible.

MS14-068
Vulnerability in Kerberos Could Allow Elevation of Privilege

This vulnerability exposes a flaw in Microsoft’s implementation of the Kerberos network authentication protocol that could allow an attacker to elevate their privileges to that of the domain administrator. This issue primarily affects Windows domain controllers and update KB3011780 was released for Windows Server platforms. This vulnerability doesn’t impact Windows desktop platforms.

MS14-064
Vulnerabilities in Windows OLE Could Allow Remote Code Execution

This vulnerability is the one that received a lot of attention from the press because it’s one that has existed since Windows 95. Update KB3011443 fixes a flaw in how OLE automation handles SafeArrays that could be exploited within applications such as Microsoft Office and Internet Explorer. This affects both desktop and server platforms, and there are now exploits in the wild that take advantage of this vulnerability. Although this flaw has existed for almost 20 years, it’s important to note that Microsoft is not releasing a patch for Windows XP or earlier systems and they will remain vulnerable.