7 Security Bulletins were released – 3 Critical, 4 Important, and 0 Moderate
This Month In Brief
We have uncovered problems with some of this month’s patches/updates and are not releasing all of them.
This month we really need to try and look at the bright side. Microsoft has pulled many of the problem patches and the denied patches/updates are either Optional updates or have a Severity rating of Important.
Denied Security Patches
MS14-075 – specifically KB2986475 affecting Exchange Server 2010 Service Pack 3
MS14-082 – specifically KB2553154 and KB2726958 affecting Office 2010/2013
(Microsoft has pulled MS14-075/KB2986475)
Denied Non-security Updates
KB3004394 – Windows Optional Root cert update
KB3011970 – Silverlight Optional update
(Microsoft has pulled both)
Heads Up! MS14-080/KB3008923 “Cumulative Security Update for Internet Explorer” We have seen a few anecdotal reports KB3008923 can cause IE9 and IE11 to crash. However because the Severity rating is Critical we have decided to release it. If you experience problems, uninstall KB3008923 will correct.
MS14-080, MS14-081 and MS14-084 are rated Critical. After your next patch cycle completes you should follow up and make sure this is installed.
Out-of-band updates: MS14-068 was released on November 18th and approved in our patch policy the next day.
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
https://technet.microsoft.com/library/security/MS14-068
Exploitability
- Publically disclosed: None
- Being exploited: None
- Rated CRITICAL: MS14-080, MS14-081, MS14-084
- (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)
Requires Restart
- Servers:True
- Workstations:True
New Security Bulletins
(MS#/Affected Software/Type)
CRITICAL
MS14-080 Cumulative Security Update for Internet Explorer (3008923) | (Internet Explorer) The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. |
|
MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) | (Microsoft Office) The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. |
|
MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) | (Microsoft Windows) The vulnerability could allow remote code execution if a user visits a specially crafted website. |
IMPORTANT
MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) | (Microsoft Exchange) The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. |
|
MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) | (Microsoft Office) The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. |
|
MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) | (Microsoft Office) The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. |
|
MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) | (Microsoft Windows) The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. |