Virtual Administrator’s July 2014 Patch Recommendations

6 Security Bulletins were released – 2 Critical, 3 Important, and 1 Moderate

This Month In Brief

We have not uncovered any widespread problems with any of these patches and are releasing all of them.

MS14-037 and MS14-038 are rated Critical. MS14-037 is yet another cumulative update for Internet Explorer 6-11 which fixes 24 vulnerabilities. After your next patch cycle completes you should follow up and make sure this is installed. MS14-038 fixes a Windows Journal (.jnt extension) vulnerability. While the number of Windows Journal users is limited all critical updates should be taken seriously.

No out-of-band updates were released during the last month.

Exploitability

• Publically disclosed: None
• Being exploited: None
• Rated CRITICAL: MS14-037, MS14-038
• (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)

Requires Restart

• Servers: Yes
• Workstations: Yes

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

	MS14-037 Cumulative Security Update for Internet Explorer (2975687)	(Internet Explorer) The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Details KB in Kaseya: KB2962872, KB2963952 Affected Software: Internet Explorer version 6-11 Known Issues per MS: https://support.microsoft.com/kb/2975687
	MS14-038 Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689)	(Windows Journal) The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Details KB in Kaseya: KB2971850, KB2974286 Affected Software: Vista, Windows 7/8/8.1, Server 2008/2008R2/2012/2012R2, Windows RT Known Issues per MS:

IMPORTANT

	MS14-039 Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685)	(Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system. Details KB in Kaseya: KB2973201, KB2973906 Affected Software: Vista, Windows 7/8/8.1, Server 2008/2008R2/2012/2012R2, Windows RT Known Issues per MS:
	MS14-040 Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684)	(Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application. Details KB in Kaseya: KB2961072, KB2973408 Affected Software: Vista, Windows 7/8/8.1, Server 2003/2008/2008R2/2012/2012R2, Windows RT Known Issues per MS:
	MS14-041 Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681)	(DirectShow) The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user. Details KB in Kaseya: KB2972280, KB2973932 Affected Software: Vista, Windows 7/8/8.1, Server 2008/2008R2/2012/2012R2 Known Issues per MS:

MODERATE

MS14-042 Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621)

(Microsoft Server Software) The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system. Details KB in Kaseya: KB2972621 Affected Software: BackOffice Small Business Server, Server 2008R2/2012/2012R2 Known Issues per MS: https://support.microsoft.com/kb/2972621