Advisories

CERT-In Advisory CIAD-2014-0064

Multiple Vulnerabilities in Microsoft Products

Original Issue Date: November 12, 2014

Severity Rating: High

Systems Affected

Windows Server 2003 x64 Edition SP2 and Itanium-based Systems sp2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit,x64-based and Itanium-based Systems SP2
Windows 7 for 32-bit and x64-based Systems SP1
Windows Server 2008 R2 for x64-based and Itanium-based Systems SP1
Windows Server 2008 for 32-bit & x64-based Systems Service Pack 2 (Server Core installation)
Windows 8 and Windows 8.1 (32-bit Systems and x64-based Systems)
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1
Microsoft Office 2007 SP3
Microsoft Office 2007 IME (Japanese)
Microsoft Word 2007 Service Pack 3
Microsoft Word Viewer
Microsoft Office Compatibility Pack Service Pack 3

Component Affected

Microsoft XML Core Services 3.0
Internet Explorer 6, 7, 8, 9, 10 and 11
Microsoft .NET Framework 1.1 & 2.0 Service Pack 1
Microsoft .NET Framework 3.5 & 3.5.1
Microsoft .NET Framework 4 & 4.5
Microsoft .NET Framework 4.5.1 & 4.5.2
IIS 8.0 on Windows 8 for 32-bit & x64-based Systems
IIS 8.5 on Windows 8.1 for 32-bit & x64-based Systems
IIS 8.0 on Windows Server 2012 for x64-based Systems
IIS 8.5 on Windows Server 2012 R2 for x64-based Systems
Microsoft SharePoint Server 2010 Service Pack 2

Overview

Multiple Vulnerabilities have been reported in various components of Microsoft Products.

Description

The vulnerability notes released by CERT-In with reference to Microsoft Security Bulletins are given below:

Microsoft Security Bulletin	Severity	CERT-In Vulnerability Notes
MS14-064:Vulnerabilities in Windows OLE Could Allow Remote Code Execution	High	CIVN-2014-0246 Multiple Remote Code Execution Vulnerabilities in Microsoft Windows OLE
MS14-065:Cumulative Security Update for Internet Explorer	High	CIVN-2014-0247 Multiple Vulnerabilities in Microsoft Internet Explorer
MS14-066 :Vulnerability in Schannel Could Allow Remote Code Execution	High	CIVN-2014-0248 Remote Code Execution Vulnerability in Microsoft Schannel
MS14-067:Vulnerability in XML Core Services Could Allow Remote Code Execution	High	CIVN-2014-0249 Remote Code Execution Vulnerability in Microsoft XML Core Services
MS14-069:Vulnerabilities in Microsoft Office Could Allow Remote Code Execution	Medium	CIVN-2014-0250 Multiple Remote Code Execution Vulnerabilities in Microsoft Word
MS14-070:Vulnerability in TCP/IP Could Allow Elevation of Privilege	High	CIVN-2014-0251 Microsoft Windows TCP/IP Memory Object Handling Privilege Escalation Vulnerability
MS14-071:Vulnerability in Windows Audio Service Could Allow Elevation of Privilege	Medium	CIVN-2014-0252 Microsoft Windows Audio Service Privilege Escalation Vulnerability
MS14-072:Vulnerability in .NET Framework Could Allow Elevation of Privilege	High	CIVN-2014-0253 Microsoft .NET Framework Elevation of Privilege Vulnerability
MS14-073:Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege	High	CIVN-2014-0254 Microsoft SharePoint Server Arbitrary Script Execution Vulnerability
MS14-074:Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass	High	CIVN-2014-0255 Microsoft Windows Remote Desktop Protocol Auditing Bypass Vulnerability
MS14-076:Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass	Medium	CIVN-2014-0256 Microsoft IIS Security Bypass Vulnerability
MS14-077 :Vulnerability in Active Directory Federation Services Could Allow Information Disclosure	High	CIVN-2014-0257 Microsoft Active Directory Federation Services Information Disclosure Vulnerability
MS14-078 :Vulnerability in IME (Japanese) Could Allow Elevation of Privilege	Medium	CIVN-2014-0258 Microsoft Windows Input Method Editor (Japanese) Privilege Elevation Vulnerability
MS14-079:Vulnerability in Kernel Mode Driver Could Allow Denial of Service	Medium	CIVN-2014-0258 Microsoft Windows Kernel TrueType Font Processing Denial of Service Vulnerability

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin November 2014
https://technet.microsoft.com/library/security/ms14-nov

Vendor Information

Microsoft Corporation
https://technet.microsoft.com/library/security/ms14-nov

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India