This article is more than 1 year old

It's 2014 and you can still own a Windows box using a Word file or font

And Adobe's software is still riddled with holes. Get the updates – now

Patch Tuesday Microsoft has today patched two dozen CVE-classified security vulnerabilities in its software. People are urged to install them as soon as possible.

The US giant said the October edition of Patch Tuesday includes three critical fixes to address flaws in Internet Explorer, the .NET Framework and Windows kernel-mode driver.

The complete list is as follows:

  • MS14-056 A cumulative update for all supported versions of Internet Explorer, including a fix for a remote code execution bug exploitable by malicious webpages. These are considered a lower risk on Windows Server. 16 different researchers were credited in reporting the 14 CVE entries addressed by the update.

  • MS14-057 Three vulnerabilities in .NET, including a critical remote code execution flaw. Supported versions of the .NET Framework 2.0 Service Pack 2 through 4.5.2 will need to be patched on all supported Windows systems. Their discovery is credited to Context Information Security. CVE-2014-4073 allows an escalation of privilege, CVE-2014-4121 is the remote-code execution hole triggered by processing a specially crafted Asian Unicode URI, and CVE-2014-4122 allows the security defense mechanism ASLR to be bypassed.

  • MS14-058 A pair of critical flaws in the kernel-mode driver allowing remote code execution due to bad TTF font parsing in the kernel (CVE-2014-4148) and elevation of privileges (CVE-2014-4113) on all supported versions of Windows and Windows Server. The TTF hole can be exploited by tricking someone into opening an Office documented with malicious font data embedded in it. Discovery of these bugs are credited to researchers with FireEye and CrowdStrike Intelligence Team.

  • MS14-059 A security bypass vulnerability (CVE-2014-4075) in Windows ASP.NET which could allow malicious sites to feed users content and ads without permission. The flaw was rated as 'important' by Microsoft.

  • MS14-060 A remote-code execution flaw (CVE-2014-4114) in Windows OLE which has been rated 'important'. It can be used to run malicious programs on a PC if the user is tricked into opening a specially-crafted Office Powerpoint file – and apparently exploited by Russian hackers against NATO and the EU. Its discovery is credited to iSight Partners.

  • MS14-061 An 'important' rated vulnerability (CVE-2014-4117) in Office that allows an attacker to use malicious Word files to achieve remote code execution at the level of the logged-in user. The flaw can be mitigated by limiting the access rights of user accounts. The flaw is also present in Office for Mac. The discovery is credited to 35 Labs via the HP Zero Day Initiative.

  • MS14-062 A vulnerability (CVE-2014-4971) in Windows Server 2003 rated as 'important'. The elevation of privilege flaw was found in the Message Queuing Service and does not affect other versions of the operating system.

  • MS14-063 An 'important' rated flaw (CVE-2014-4115) in the Windows FAT32 Disk Partition Driver which could allow an attacker to obtain elevation of privilege on Windows Server 2003, Vista and Server 2008. A researcher for Cisco Talos was credited with the discovery.

Adobe, meanwhile, has released its own monthly patch update. That patch will include a fix for three remote-code execution flaws in Flash Player for Windows, OS X and Linux. Adobe is also patching a trio of flaws in ColdFusion allowing elevation of privilege and security control bypass. ®

More about

TIP US OFF

Send us news


Other stories you might like