Virtual Administrator’s June 2014 Patch Recommendations

7 Security Bulletins were released – 2 Critical, 5 Important, and 0 Moderate

This Month In Brief

7 Security Bulletins were released – 2 Critical, 5 Important

We have not uncovered any widespread problems with any of these patches and are releasing all of them.

MS14-035 and MS14-036 are rated Critical. MS14-035 affects Internet Explorer and addresses 57 vulnerabilities. After your next patch cycle completes you should follow up and make sure these are installed.

Windows 8.1 and Server 2012 R2 and Office 2013 considerations this month

We are releasing the previously denied KB2919355. This patch applies to Windows 8.1 and Server 2012 R2. The update was originally released in April and caused numerous problems. Microsoft reissued it in May but many problems remained. It now looks as though these problems have been resolved. There are 5 updates addressing the problems with KB2919355. Here are the details.

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 Update: April 2014
http://support.microsoft.com/kb/2919355

KB2966870
Update for Windows 8.1 and Windows Server 2012 R2
http://support.microsoft.com/kb/2966870
– Fix restart problems after you install update rollup 2919355 in Windows 8.1 or Windows Server 2012 R2
Computers that start from certain Serial Attached SCSI (SAS) storage controllers are affected by this problem. This includes, but is not limited to, the following controller drivers:
Dell H200 PERC controller
IBM x240 with on-board LSI SAS2004 ROC controller
LSI 2308 on-board controllers
LSI 9211-4i controllers
LSI 9211-8i controllers
LSI SAS 9211
Supermicro X10SL7-F motherboard

KB2966407
Update for Windows 8.1 and Windows Server 2012 R2
http://support.microsoft.com/kb/2966407
– Backing up virtual machines fails when using the CSV writer after installation of update 2919355 in Windows

KB2967162
Dynamic Update for Windows 8.1 and Windows Server 2012 R2
http://support.microsoft.com/kb/2967162
– Update to fix restart problems after you install update rollup 2919355 in Windows 8.1 or Windows Server 2012 R2

KB2969339
Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
http://support.microsoft.com/kb/2969339
– Error 0x80073712 when you install update 2919355 in Windows 8.1 or Windows Server 2012 R2

KB2939087
Update for Windows 8.1 and Windows Server 2012 R2
http://support.microsoft.com/kb/2939087
-Error 0x80071a91 when installing update 2919355 in Windows

There have been some reports of issues with this month’s non-security updates for Office 2013 clicktorun on Windows 7
Here is the most reliable information we have found. It is given by Susan Bradley who is a Moderator on the Microsoft Community posts
“Office 2013 missing after June 11 Microsoft auto updates”
(http://answers.microsoft.com/en-us/office/forum/office_2013_release-office_install/office-2013-missing-after-june-11-microsoft-auto/cde2a639-f94a-4f99-a246-8acddeea6830?page=15)
Susan Bradley

So far what seems to be working is an uninstall/reinstall of 2013. Not optimal for sure.
Based on reading between the lines and the symptoms- it appears to me to be primarily Office 2013 clicktorun on Windows 7. No VL/MSI/KMS deployment of 2013 is reporting this issue.
I don’t read that it’s the Windows updates, but the click2run update barfed.

The past info to uninstall/reinstall:
“To resolve this problem, run the Office uninstall fixit from here: http://support.microsoft.com/kb/2739501.
Next, re-install Office 2013 by logging into www.office.com/myaccount with your registered email address and click Install Office.”

No out-of-band updates were released during the last month.

Exploitability

Requires Restart

  • Servers: No
  • Workstations: No

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS14-035 Cumulative Security Update for Internet Explorer (2969262) (Internet Explorer) The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
KB in Kaseya: KB2957689, KB2963950
Affected Software: Internet Explorer 6/7/8/9/10/11
Known Issues per MS: https://support.microsoft.com/kb/2969262
MS14-036 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) (Microsoft Office/Lync) The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage.
Details
KB in Kaseya: KB2767915, KB2863942, KB2878233, KB2881013, KB2881069, KB2957503, KB2957509, KB2963282, KB2963284, KB2963285, KB2964718, KB2964736, KB2965155, KB2965161, KB2968966
Affected Software: Office 2007/2010, Lync 2010/2013
Known Issues per MS:

IMPORTANT

MS14-030 Vulnerability in Remote Desktop Could Allow Tampering (2969259) (Microsoft Windows) The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system.
Details
KB in Kaseya: KB2965788, KB2966034
Affected Software: Windows 7/8/8.1, Server 2012/2012R2
Known Issues per MS:
MS14-031 Vulnerability in TCP Protocol Could Allow Denial of Service (2962478) (Microsoft Windows) The vulnerability could allow denial of service if an attacker sends a sequence of specially crafted packets to the target system.
Details
KB in Kaseya: KB2957189, KB2961858
Affected Software: Vista, Windows 7/8/8.1, Server 2008/2008R2/2012/2012R2, Windows RT/RT8.1
Known Issues per MS:
MS14-032 Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258) (Microsoft Lync Server) The vulnerability could allow information disclosure if a user tries to join a Lync meeting by clicking a specially crafted meeting URL.
Details
KB in Kaseya: KB2963286, KB2963288
Affected Software: Lync 2010/2013, Lync Server 2010/2013
Known Issues per MS:
MS14-033 Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061) (Microsoft Windows) The vulnerability could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer.
Details
KB in Kaseya: KB2939576, KB2957482, KB2966631
Affected Software: Vista, Windows 7/8/8.1, Server 2003/2008/2008R2/2012/2012R2, Windows RT/RT8.1
Known Issues per MS:
MS14-034 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261) (Microsoft Office) The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word.
Details
KB in Kaseya: KB2880513, KB2880515
Affected Software: Office 2007
Known Issues per MS: