4 Security Bulletins were released – 2 Critical, 2 Important, and 0 Moderate
This Month In Brief
We are denying KB2919355 at this time- see details below. All other patches have been approved.
MS14-017 and MS14-018 are rated Critical. After your next patch cycle completes you should follow up and make sure these are installed. MS14-017 is only known to have been exploitable in the Word for Windows 2010 but all versions are technically vulnerable. MS14-018 affects Internet Explorer versions 6-11 (but not 10).
No out-of-band updates were released during the last month.
XPocalypse: Support for Windows XP and Office 2003 ended April 8, 2014. There will be no more security updates or technical support for the Windows XP operating system. Here a good article for those affected “Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers” (http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows-xp-and-guidance-for-small-businesses-and-individual-consumers.aspx)
Denied: KB2919355 is a cumulative set of security updates, critical updates and updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2. It is listed under MS14-018 however the newly reported vulnerabilities are patched with KB2936068 which has been approved in our patch policy. If KB2936068 is installed you are protected in spite of the KB2919355 deny.
The issues with KB2919355 are listed below. We will monitor Microsoftâ€™s progress correcting these issues over the next few weeks. We will likely be compelled to approve KB2919355 next month regardless as â€œAll future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require this update to be installed.â€
Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update: April 2014
Issue with Windows Server 2012 R2 Update KB 2919355 | view topic:
Error 0x80071a91 when installing update 2919355 in Windows:
Internet Explorer 11 crashes when you turn on or turn off the Enterprise Mode feature
You are unable to uninstall IIS after you install KB2919355 in Windows 8.1 or Windows Server 2012 R2:
- Publically disclosed: MS14-017, MS14-019
- Being exploited: MS14-017
- Rated CRITICAL: MS14-017, MS14-018
- (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)
- Servers: No
- Workstations: No
New Security Bulletins
|MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
|(Microsoft Office/Services/Web Apps) The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened or previewed in an affected version of Microsoft Office software.
|MS14-018 Cumulative Security Update for Internet Explorer (2950467)
|(Internet Explorer) These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
|MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
|(Microsoft Windows) The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location.
|MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)
|(Microsoft Publisher) The vulnerability could allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher.