Virtual Administrator's December 2014 Patch Recommendations

7 Security Bulletins were released – 3 Critical, 4 Important, and 0 Moderate

This Month In Brief

We have uncovered problems with some of this month’s patches/updates and are not releasing all of them.

This month we really need to try and look at the bright side. Microsoft has pulled many of the problem patches and the denied patches/updates are either Optional updates or have a Severity rating of Important.

Denied Security Patches
MS14-075 – specifically KB2986475 affecting Exchange Server 2010 Service Pack 3
MS14-082 – specifically KB2553154 and KB2726958 affecting Office 2010/2013
(Microsoft has pulled MS14-075/KB2986475)

Denied Non-security Updates
KB3004394 – Windows Optional Root cert update
KB3011970 – Silverlight Optional update
(Microsoft has pulled both)

Heads Up! MS14-080/KB3008923 “Cumulative Security Update for Internet Explorer” We have seen a few anecdotal reports KB3008923 can cause IE9 and IE11 to crash. However because the Severity rating is Critical we have decided to release it. If you experience problems, uninstall KB3008923 will correct.

MS14-080, MS14-081 and MS14-084 are rated Critical. After your next patch cycle completes you should follow up and make sure this is installed.

Out-of-band updates: MS14-068 was released on November 18th and approved in our patch policy the next day.
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
https://technet.microsoft.com/library/security/MS14-068

Exploitability

Requires Restart

  • Servers:True
  • Workstations:True

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS14-080 Cumulative Security Update for Internet Explorer (3008923) (Internet Explorer) The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
KB in Kaseya: KB3008923
Affected Software: Internet Explorer 6-11
Known Issues per MS: https://support.microsoft.com/kb/3008923
MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) (Microsoft Office) The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software.
Details
KB in Kaseya: KB2883050, KB2889851, KB2899581, KB2899518, KB2899519, KB2910892, KB2910916, KB2920729, KB2920792, KB2920793, KB3018888
Affected Software: Office 2007/2010/2011/2013, Office Web Apps 2010/2013, SharePoint Server 2010/2013
Known Issues per MS:
MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) (Microsoft Windows) The vulnerability could allow remote code execution if a user visits a specially crafted website.
Details
KB in Kaseya: KB3012168, KB3012172, KB3012176
Affected Software: Vista, Windows 7, Server 2003/2008/2008R2, VBScript 5.6/5.7/5.8
Known Issues per MS:

IMPORTANT

MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) (Microsoft Exchange) The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site.
Details
KB in Kaseya: KB2986475, KB2996150, KB3011140
Affected Software: Exchange 2007/2010/2013
Known Issues per MS: https://support.microsoft.com/kb/3009712
MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) (Microsoft Office) The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office.
Details
KB in Kaseya: KB2553154, KB2596927, KB2726958
Affected Software: Office 2007/2010/2013
Known Issues per MS:
MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) (Microsoft Office) The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software.
Details
KB in Kaseya: KB2910902, KB2910929, KB2984942
Affected Software: Excel 2007/2010/2013
Known Issues per MS:
MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) (Microsoft Windows) The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content.
Details
KB in Kaseya:
Affected Software: Vista, Windows 7/8/8.1, Server 2003/2008/2008R2, Windows RT
Known Issues per MS: