Microsoft Security Bulletin Advance Notification for November 2014

ronjor · Nov 6, 2014

Published: November 6, 2014

Version: 1.0
On this page

Executive Summaries
Affected Software
Other Information

This is an advance notification of security bulletins that Microsoft is intending to release on November 11, 2014.

This bulletin advance notification will be replaced with the November bulletin summary on November 11, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information
Click to expand...

https://technet.microsoft.com/library/security/ms14-nov

ronjor · Nov 6, 2014

Advance Notification Service for the November 2014 Security Bulletin Release
MSRC Team
6 Nov 2014 10:08 AM

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
Click to expand...

http://blogs.technet.com/b/msrc/arc...-november-2014-security-bulletin-release.aspx

anon · Nov 6, 2014

Microsoft plans monster security update for next week
http://www.computerworld.com/articl...ns-monster-security-update-for-next-week.html
-----
Microsoft to issue 16 security updates
http://www.zdnet.com/microsoft-to-issue-16-security-updates-7000035526/

siljaline · Nov 7, 2014

Microsoft plans monster security update for next week

fblais · Nov 11, 2014

They were not released yet?

anon · Nov 11, 2014

fblais said: ↑

They were not released yet?
Click to expand...

As usual =
Microsoft will release the 16 updates on Nov. 11 at 10 a.m. PT (1 p.m. ET).
------------

Patch Tuesday begins at 18:00 or 17:00 UTC (10:00 PST (UTC-8 ) or 10:00 PDT (UTC-7)
http://en.wikipedia.org/wiki/Patch_Tuesday
Click to expand...

ronjor · Nov 11, 2014

Microsoft Security Bulletin Summary for November 2014
Published: November 11, 2014
Version: 1.0
On this page

Executive Summaries
Exploitability Index
Affected Software
Detection and Deployment Tools and Guidance
Acknowledgments
Other Information

This bulletin summary lists security bulletins released for November 2014.

With the release of the security bulletins for November 2014, this bulletin summary replaces the bulletin advance notification originally issued November 6, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.
Click to expand...

https://technet.microsoft.com/library/security/ms14-nov

MrBrian · Nov 11, 2014

Microsoft Security Bulletin Summary for November 2014

November 2014 Updates

Assessing Risk for the November 2014 Security Updates

MS14-072: .NET Remoting Elevation of Privilege Vulnerability

IMHO, MS14-066 is quite bad.

Dragon1952 · Nov 11, 2014

http://www.sevenforums.com/news/351435-advance-windows-update-notification-november-10th-2014-a.html

MrBrian · Nov 11, 2014

From http://threatpost.com/microsoft-pat...ds-emet-5-1-before-applying-ie-patches/109302:

Microsoft recommends that EMET 5.0 users upgrade to 5.1 immediately before proceeding with the application of today’s patches.

[...]

Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections. MS14-066 patches an issue in the way Schannel processes specially crafted packets, Microsoft said.

“The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles,” said Qualys CTO Wolfgang Kandek. “The vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit it is only a matter of time and resources, it is prudent to install this bulletin in your next patch cycle.”
Click to expand...

siljaline · Nov 11, 2014

FYi: Microsoft holds back two patches.
http://www.zdnet.com/microsoft-patches-windows-ie-holds-back-two-updates-7000035677/

siljaline · Nov 11, 2014

Anyone with any Microsft FixIts in place may patch over them.

siljaline · Nov 11, 2014

fblais said: ↑

They were not released yet?
Click to expand...

Microsoft begins to populate (load up) the update servers (Windows Update - WSUS) at around 9:30 Seattle time.

They should be availabe to you now.

ronjor · Nov 11, 2014

November Exchange Releases delayed until December
The Exchange Team
11 Nov 2014 11:07 AM

We know that many of you are anxiously awaiting the release of our quarterly Exchange updates planned for November. Earlier today the Exchange Team decided to hold the release of these packages until December. We made this decision to provide more time to resolve a late breaking issue in the Installer package used with Exchange Server 2013. We have discovered that in some instances, OWA files will be corrupted by installation of a Security Update. The issue is resolved by executing an MSI repair operation before a Security Update is installed. We do not believe this is acceptable behavior and is unfortunately something that customers might only discover after they install a Security Update.
Click to expand...

http://blogs.technet.com/b/exchange...exchange-releases-delayed-until-december.aspx

MrBrian · Nov 11, 2014

From Microsoft posts critical patch for huge Windows vulnerability that affects all modern machines:

Remember Heartbleed? You know, the exploit in SSL that was so bad it got its own brand? Microsoft may have an issue of similar scale on its hands with a critical patch issued via Windows Update today.

The patch in question is MS14-066, or otherwise known as the cryptically named “Vulnerability in Schannel Could Allow Remote Code Execution,” which affects Windows Server 2003/2008/2012, Vista, 7, 8, 8.1 and Windows RT.
Click to expand...

It also probably affects Windows XP because http://support.microsoft.com/kb/894199 states (my bolding):

MS14-066: Security Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP Embedded (KB2992611)
Click to expand...

MrBrian · Nov 11, 2014

From IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows:

The IBM X-Force Research team has identified a significant data manipulation vulnerability (CVE-2014-6332) with a CVSS score of 9.3 in every version of Microsoft Windows from Windows 95 onward.

We reported this issue with a working proof-of-concept exploit back in May 2014, and today, Microsoft is patching it. It can be exploited remotely since Microsoft Internet Explorer (IE) 3.0. This complex vulnerability is a rare, “unicorn-like” bug found in code that IE relies on but doesn’t necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.
Click to expand...

fblais · Nov 11, 2014

siljaline said: ↑

Microsoft begins to populate (load up) the update servers (Windows Update - WSUS) at around 9:30 Seattle time.

They should be availabe to you now.
Click to expand...

Got them, thanks!

MrBrian · Nov 11, 2014

From Potentially catastrophic bug bites all versions of Windows. Patch now:

While the [MS14-066] advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and sever versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

"If they install software that listens on port, then that machine would be vulnerable," he said. An an example would be "if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client."
Click to expand...

MrBrian · Nov 12, 2014

Can the Windows Schannel vulnerability be exploited by visiting a website?

Sampei Nihira · Nov 12, 2014

MrBrian said: ↑

From Microsoft posts critical patch for huge Windows vulnerability that affects all modern machines:

It also probably affects Windows XP because http://support.microsoft.com/kb/894199 states (my bolding):
Click to expand...

Microsoft Security Bulletin for POS Ready2009 (November):

KB 3006226
KB 3002885
KB 2989935
KB 2991963
KB 2993958
KB 2992611
KB 3003057

MrBrian · Nov 12, 2014

I can't vouch for any of the information in this Pastebin paste:

This is the story of the most under-played Patch Tuesday update ever delivered. The "SChannel Shenanigans" bug is a once in a lifetime type of vulnerability, and Microsoft is mis-representing the scope and severity of this defect.

[...]

To sum up each amplifying risk factor for "SChannel Shenanigans":
a.) Before authentication. Methods called early on in many, many applications and libraries and services. Surface exposed to any attackers, and early.
b.) Always results in SYSTEM Privs, local or remote. A "God Mode" exploit with 100% success.
c.) Multiplicity of use and high exposure of flawed code. Huge Surface; everything including Windows 2000 onward is vulnerable.
d.) Legacy code carried onward, forever. This means modern protections that make exploiting Methods more difficult are not applied here. No EMET for you here, foolish Earth Human!

And finally, an ultimatum or two. I did not know what to do with this before, but I do know what to do now given Microsoft's response to these defects.

Microsoft has until the end of day Friday the 14th to change MS14-066 Exploit-ability Assessment to "0- Exploitation Detected". If they do not, I will anonymously distribute "The Exploit".

Microsoft has until this time next month December 16th to release a patch for legacy XP customers also affected by this vulnerability. Additional time is granted given the overhead of build and test for a new platform on short notice.
Click to expand...

RockLobster · Nov 12, 2014

This is all our own fault. We trusted Bill Gates. If we had listened to the techys in the 90s and all supported linux 20 years ago instead of Windows we all would not have the latest version of Microsoft's latest sneaky closed source spyware OS on our computers.

siljaline · Nov 12, 2014

fblais said: ↑

Got them, thanks!
Click to expand...

Bienvenue | you're most welcome.

ronjor · Nov 14, 2014

Microsoft Secure Channel (Schannel) vulnerable to remote code execution via specially crafted packets

Original Release date: 13 Nov 2014 | Last revised: 13 Nov 2014

Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network packets.
Click to expand...

http://www.kb.cert.org/vuls/id/505120

MrBrian · Nov 17, 2014

From Triggering MS14-066:

The details have been scarce. Lets fix that.
Click to expand...

Log in or Sign up

Microsoft Security Bulletin Advance Notification for November 2014

ronjor Global Moderator

ronjor Global Moderator

anon Registered Member

siljaline Registered Member

fblais Registered Member

anon Registered Member

ronjor Global Moderator

MrBrian Registered Member

Dragon1952 Registered Member

MrBrian Registered Member

siljaline Registered Member

siljaline Registered Member

siljaline Registered Member

ronjor Global Moderator

MrBrian Registered Member

MrBrian Registered Member

fblais Registered Member

MrBrian Registered Member

MrBrian Registered Member

Sampei Nihira Registered Member

MrBrian Registered Member

RockLobster Registered Member

siljaline Registered Member

ronjor Global Moderator

MrBrian Registered Member

Log in or Sign up

Microsoft Security Bulletin Advance Notification for November 2014

ronjor Global Moderator

ronjor Global Moderator

anon Registered Member

siljaline Registered Member

fblais Registered Member

anon Registered Member

ronjor Global Moderator

MrBrian Registered Member

Dragon1952 Registered Member

MrBrian Registered Member

siljaline Registered Member

siljaline Registered Member

siljaline Registered Member

ronjor Global Moderator

MrBrian Registered Member

MrBrian Registered Member

fblais Registered Member

MrBrian Registered Member

MrBrian Registered Member

Sampei Nihira Registered Member

MrBrian Registered Member

RockLobster Registered Member

siljaline Registered Member

ronjor Global Moderator

MrBrian Registered Member

Useful Searches