Skip to content

Virtual Administrator’s May 2014 Patch Recommendations

9 Security Bulletins were released – 3 Critical, 6 Important, and 0 Moderate

This Month In Brief

8 New Security Bulletins were released – 2 Critical, 6 Important

Microsoft included the May 1st out of band patch (MS14-021) in May’s Security Bulletins . This was previously approved the day it became available – see https://virtualadministrator.com/blog/microsoft-internet-explorer-vulnerability-patch-release/

Denied Updates
KB2919355 was denied last month and is still denied – see details below.
KB2920189 has been denied – see details below.
All new Security bulletins have been allowed – please note warning to Office 2013 users for MS14-023

Most important this month is MS14-021 and MS14-029. MS14-021 was released out of band on May 1st and MS14-029 is new. Both address Internet Explorer vunlerabilities. Also “Important” means “Important” 3 of the 6 Important updates are already being exploited. Everyone’s goal should be to keep all machines fully patched!

Denied KB2919355
Due to the increasing list of problems this update has caused, Microsoft has entended the installation deadline to June 10 (Windows 8.1 Update Requirement Extended: http://blogs.windows.com/windows/b/windowsexperience/archive/2014/05/12/windows-8-1-update-requirement-extended.aspx). Machines should continue update normally with this month’s patches. Virtual Administrator is working on a blog to give guidance on the installation of KB2919355 soon.

Denied KB2920189
This is a Security Advisory (not a Bulletin). Security Advisories are issues that may not be classified as vulnerabilities and may not require a security bulletin.

Potential problems situations
First
If you install this security update on a system that uses a noncompliant Unified Extensible Firmware Interface (UEFI) module, you may be unable to start the computer.

Second
Configuration 1
You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
Configuration 2
You have a Windows Server 2012 R2-based Hyper-V host running and you are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.

Microsoft Security Advisory 2962824
Update Rollup of Revoked Non-Compliant UEFI Modules (https://technet.microsoft.com/library/security/2962824)
http://support.microsoft.com/kb/2920189

Warning

MS14-023 on Office 2013
Security Update for Microsoft Office 2013 (KB2878316) fails
Outlook 2013 is relying on DirectX and this issue has reared it’s head in prior Outlook updates as well.
https://support.microsoft.com/kb/2961037
Here is the fix:
1. Disable Aero
2. Disable hardware acceleration
OR
3. Look for an updated video driver.

Exploitability

Requires Restart

  • Servers: Yes
  • Workstations: Yes

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS14-021 Security Update for Internet Explorer (2965111) (Internet Explorer) The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer.
Details
KB in Kaseya: KB2964358
Affected Software: Internet Explorer 6/7/8/9/11
Known Issues per MS: https://support.microsoft.com/kb/2965111
MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166) (Sharepoint) The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
Details
KB in Kaseya: KB2596763, KB2596902, KB2837588, KB2837598, KB2837616, KB2863829, KB2863856
Affected Software: SharePoint Server 2007/2010/2013, SharePoint Designer 2007/2010/2013, Office Web Apps 2010/2013
Known Issues per MS: https://support.microsoft.com/kb/2952166
MS14-029 Security Update for Internet Explorer (2962482) (Internet Explorer) The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
KB in Kaseya: KB2953522
Affected Software: Internet Explorer 6/7/8/9/11
Known Issues per MS: https://support.microsoft.com/kb/2962482

IMPORTANT

MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037) (Microsoft Office) The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file.
Details
KB in Kaseya: KB2767772, KB2878284, KB2878316, KB2880463
Affected Software: Office 2007/2010/2013
Known Issues per MS: https://support.microsoft.com/kb/2961037
MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) (Microsoft Office) The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.
Details
KB in Kaseya: KB2589288, KB2596804, KB2760272, KB2810073, KB2817330, KB2880502, KB2880507, KB2880508, KB2880971
Affected Software: Office 2007/2010/2013
Known Issues per MS:
MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486) (Microsoft Windows) The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain – a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.
Details
KB in Kaseya: KB2928120, KB2961899
Affected Software: Vista, Windows 7/8/8.1, Server 2003, Server 2008/2008R2/2012/2012R2
Known Issues per MS:
MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) ( .NET Framework) The vulnerability could allow elevation of privilege if an authenticated attacker sends specially crafted data to an affected workstation or server that uses .NET
Details
KB in Kaseya: KB2931352, KB2931354, KB2931356, KB2931357, KB2931365, KB2931366, KB2931367, KB2931368, KB2932079
Affected Software: Vista, Windows 7/8/8.1, Server 2003, Server 2008/2008R2/2012/2012R2, Windows RT
Known Issues per MS:
MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) (Windows Shell) The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute.
Details
KB in Kaseya: KB2926765, KB2962123
Affected Software: Vista, Windows 7/8/8.1, Server 2003, Server 2008/2008R2/2012/2012R2, Windows RT
Known Issues per MS:
MS14-028 Vulnerabilities in iSCSI Could Allow Denial of Service (2962485) (iSCSI) The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network.
Details
KB in Kaseya: KB2933826, KB2962073
Affected Software: Server 2008/2008R2/2012/2012R2
Known Issues per MS:

MODERATE

Scroll To Top