December’s cadre of seven bulletins from Microsoft include five that involve remote execution of some sort. These bulletins (three critical, four important) address a total of 24 vulnerabilities.
The first critical bulletin (MS14-080) contains the obligatory Internet Explorer fixes addressing 14 new vulnerabilities in all versions of Internet Explorer. Ten of the vulnerabilities are for various memory corruption vulnerabilities, none of which were publicly exposed or exploited in the wild.
The next critical bulletin (MS14-081) resolves two vulnerabilities in Microsoft Word and Microsoft Office. These vulnerabilities allow for remote code execution if users open or preview a specifically crafted Word file, which seems to be a particularly fashionable attack vector this year.
The third critical bulletin (MS14-084) contains a VBScript fix for Internet Explorer that prevents remote code execution. I know what you are thinking … isn’t the whole point of VBScript in Internet Explorer remote code execution? Well you’re right, but this vulnerability could allow an attacker to run code you didn’t intend.
Unless something major happens between now and the end of the year (knock on a yule log), Microsoft will finish 2014 with a total of 85 security bulletins – a decrease compared to 106 bulletins in 2013.
The total number of vulnerabilities addressed by Microsoft is down ever-so-slightly: 409 in 2013 versus 398 (as of December 10) in 2014. However the number of critical vulnerabilities addressed by Microsoft is up: 257 (so far in 2014) versus 216 in 2013. The number of critical vulnerabilities is not surprising since a multitude of the vulnerabilities were zero days, and prompted a couple of out-of-band patches. *Data current as of December 10, 2014.
While we are on the topic of vulnerabilities and numbers, this is a good time to remind everyone that there is an upcoming change to the CVE numbering scheme. Currently a vulnerability’s CVE number shakes out something like this: “CVE-YYYY-NNNN,” where the “YYYY” portion represents the four digit year and the “NNNN” is a 4 digit number.
Obviously the 4-digit number means that CVE can only support 10,000 unique numbers in a given year. Unfortunately 10,000 vulnerabilities per year isn’t enough anymore, so the fine folks at Mitre have expanded the syntax to support 5-, 6-, and (heaven forbid) even 7-digit numbers if necessary. Soon you’ll see a CVE number that looks like “CVE-YYYY-NNNNN.” It’s not a mistake or some sort of phishing attempt—it’s just what the world has come to. If you want to learn more about the numbering change check out this press release.
The Skybox Vulnerability Database contains vulnerabilities that do not have a CVE reference, such as vulnerabilities that really represent two different risk scenarios on different systems or network configurations. You can learn more about our methodology here.