Bonus Windows updates fix other Windows updates
The Patch Tuesday updates were enough to keep track of, but they weren’t all the security updating Microsoft did on Tuesday. The company also reissued two older updates on certain platforms and released a new anti-POODLE feature for Internet Explorer. There are inconsistencies in the description and implementation of the anti-POODLE feature.
MS14-065: Cumulative Security Update for Internet Explorer (3003057), as released on the November Patch Tuesday, had some deficiencies in the update for one specific vulnerability. CVE-2014-6353 is one of two memory corruption vulnerabilities fixed in that update, but version 2.0 of the update was released today for Internet Explorer 10 and for Internet Explorer 8 on Windows 7 or Windows Server 2008 R2. The same fixes are included in the December Cumulative Security Update for Internet Explorer released today.
MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) was the fix for a doozy of a vulnerability in Schannel, Microsoft’s SSL/TLS implementation. Tuesday the update was reissued for users of Windows Vista and Windows Server 2008 to address “an issue in the original release.”
In addition to the fix for the highly-critical vulnerability in MS14-066, Microsoft added some new security features, specifically new ciphers for the TLS suite. We can only guess that they did this since they were sending out a new version of the files that implement the ciphers anyway, so they thought they’d kill two birds with one stone. What they ended up killing instead was many Windows systems.