beyondtrust.com has the information
MS14-066 was patched in November patch Tuesday (Nov 11). and here is the details:
Unfortunately for those machines that do not patch regularly, the Microsoft patch allows the reverse engineer to figure out what was patched and then create a hack/Proof of Concept – POC)
We can now see that the added logic controls a path to a memcpy (actually two memcpys — they wouldn’t both fit in the screenshot). This is an indication that we are looking in the right place. – See more at: http://blog.beyondtrust.com/triggering-ms14-066#sthash.SVTUcTk6.dpuf
that starts the POC
….. more analysis ….
final result:
So all we really need to do is edit s3_clnt.c to randomly change one byte in ‘p’ to a random value before sending our certificate verify message back to IIS over and over again and wait until something cool happens. (i.e. crashingmemcpy)