November has been a very “interesting” month as far as security as concerned. With this past patch Tuesday, a number of serious, high-impact vulnerabilities in Microsoft Windows were released, and this week another out-of-band patch was revealed. In the last year there have been serious Linux vulnerabilities (Heartbleed, Shellshock, etc), and now it seems that it is Microsoft’s turn – in fact, one such exploit has been dubbed “Winshock”.
Due to the sheer number of vulnerabilities that have arisen this month, this post will list those considered to have the highest impact.
- ID: CVE-2014-6332, CVE-2014-6352
- CVSS Base: 9.3
- “This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.”
- ID: CVE-2014-4143, 6323, 6337, 6339-6351, 6353
- CVSS Base: various; 8-9
- “This security update resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.”
- ID: CVE-2014-6321
- CVSS Base: 10
- “This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.”
As a part of our daily security procedures, we look for emerging news on security vulnerabilities and monitor our environment for unusual network traffic, error logs, firewall actions, and other indicators of compromise.
We were able to patch the major “WinShock” vulnerability within several hours of discovering it, on the day the patch was released. No indicators of compromise were found after correlating relevant security details. Additionally, we use patch management software internally to schedule automatic update installation across internal devices, in this case as an on-demand patch that applied across all machines.