Virtual Administrator’s September 2014 Patch Recommendations

4 Security Bulletins were released – 1 Critical, 3 Important, and 0 Moderate

This Month In Brief

4 Security Bulletins were released – 1 Critical, 3 Important
(Security Bulletin MS14-045 rereleased – see below)

We have not uncovered any widespread problems with any security bulletins and are releasing all of them.
Note: Non-security update KB2889866 has been removed by Microsoft. We have denied it in all patch policies and will reconsider it next month.
September 9, 2014 update for OneDrive for Business (KB2889866):
http://support.microsoft.com/default.aspx?scid=kb;en-us;2889866

MS14-052 is rated Critical. After your next patch cycle completes you should follow up and make sure this is installed.

Last month we denied KB2982791 and KB2976897 (Security Bulletin MS14-045). Microsoft replaced the bad patch (KB2982791) with KB2993651 and we have approved it in all patch policies. Although KB2976897 was implicated as a problem last month it has proven to be safe and we have approved it in all patch policies.

Security Bulletin MS14-045 rereleased
(http://blogs.technet.com/b/msrc/archive/2014/08/27/security-bulletin-ms14-045-rereleased.aspx)

If KB2982791 was installed. If you did not block KB2982791 in your patch policy or you have Windows Auto Updates enabled and KB2982791 was installed, Microsoft recommends customers who have installed security update KB2982791, to uninstall this update. They have added additional information in the Known Issues section for the MS14-045, August 2014 update. Please see the related article: http://support.microsoft.com/kb/2982791.

Security News:
Starting September 9, 2014, out-of-date ActiveX controls will be blocked on computers that have the August Cumulative security update for Internet Explorer (MS14-051) or a later update applied.

KB2991000: Update to block out-of-date ActiveX controls in Internet Explorer (http://support.microsoft.com/kb/2991000 – Note: see the section “Testing the out-of-date ActiveX controls feature”).

Additional information on the out-of-date ActiveX control blocking feature in Internet Explorer is provided here:

IE to begin blocking out of date ActiveX
http://permalink.gmane.org/gmane.comp.security.patch-managment/7291

TechNet landing page for out-of-date ActiveX control blocking (http://technet.microsoft.com/en-us/library/dn761713.aspx)

Microsoft Security blog: IE increases protections, implements out-of-date ActiveX control blocking (http://blogs.technet.com/b/security/archive/2014/08/13/ie-increases-protections-implements-out-of-date-activex-control-blocking.aspx

Exploitability

Requires Restart

  • Servers: Yes
  • Workstations: Yes

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS14-052 Cumulative Security Update for Internet Explorer (2977629) (Internet Explorer) The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
KB in Kaseya: KB2977629
Affected Software: Internet Explorer 6-11
Known Issues per MS:

IMPORTANT

MS14-053 Vulnerability in .NET Framework Could Allow Denial of Service (2990931) (.Net Framework) The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website.
Details
KB in Kaseya: KB2972207, KB2972211, KB2972212, KB2972213, KB2972214, KB2972215, KB2972216, KB2973112, KB2973113, KB2973114, KB2973115, KB2974268, KB2974269, KB2977765, KB2977766
Affected Software: .NET Framework (excluding Microsoft .NET Framework 3.5 Service Pack 1)
Known Issues per MS:
MS14-054 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948) (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Details
KB in Kaseya: KB2988948
Affected Software: Windows 8/8.1, Server 2012/2012R2, Windows RT
Known Issues per MS:
MS14-055 Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) (Lync) The most severe of these vulnerabilities could allow denial of service if an attacker sends a specially crafted request to a Lync server.
Details
KB in Kaseya: KB2982385, KB2982388, KB2982389, KB2982390, KB2986072, KB2992965
Affected Software: Lync Server
Known Issues per MS:

MODERATE