9 Security Bulletins were released – 3 Critical, 6 Important, and 0 Moderate
This Month In Brief
8 New Security Bulletins were released â€“ 2 Critical, 6 Important
Microsoft included the May 1st out of band patch (MS14-021) in May’s Security Bulletins . This was previously approved the day it became available – see https://virtualadministrator.com/blog/microsoft-internet-explorer-vulnerability-patch-release/
KB2919355 was denied last month and is still denied – see details below.
KB2920189 has been denied – see details below.
All new Security bulletins have been allowed – please note warning to Office 2013 users for MS14-023
Most important this month is MS14-021 and MS14-029. MS14-021 was released out of band on May 1st and MS14-029 is new. Both address Internet Explorer vunlerabilities. Also “Important” means “Important” 3 of the 6 Important updates are already being exploited. Everyone’s goal should be to keep all machines fully patched!
Due to the increasing list of problems this update has caused, Microsoft has entended the installation deadline to June 10 (Windows 8.1 Update Requirement Extended: http://blogs.windows.com/windows/b/windowsexperience/archive/2014/05/12/windows-8-1-update-requirement-extended.aspx). Machines should continue update normally with this month’s patches. Virtual Administrator is working on a blog to give guidance on the installation of KB2919355 soon.
This is a Security Advisory (not a Bulletin). Security Advisories are issues that may not be classified as vulnerabilities and may not require a security bulletin.
Potential problems situations
If you install this security update on a system that uses a noncompliant Unified Extensible Firmware Interface (UEFI) module, you may be unable to start the computer.
You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
You have a Windows Server 2012 R2-based Hyper-V host running and you are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.
Microsoft Security Advisory 2962824
Update Rollup of Revoked Non-Compliant UEFI Modules (https://technet.microsoft.com/library/security/2962824)
MS14-023 on Office 2013
Security Update for Microsoft Office 2013 (KB2878316) fails
Outlook 2013 is relying on DirectX and this issue has reared it’s head in prior Outlook updates as well.
Here is the fix:
1. Disable Aero
2. Disable hardware acceleration
3. Look for an updated video driver.
- Publically disclosed: None
- Being exploited: MS14-021, MS14-024, MS14-025, MS14-027, MS14-029
- Rated CRITICAL: MS14-021, MS14-022, MS14-029
- (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)
- Servers: Yes
- Workstations: Yes
New Security Bulletins
|MS14-021 Security Update for Internet Explorer (2965111)||(Internet Explorer) The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer.
|MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)||(Sharepoint) The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
|MS14-029 Security Update for Internet Explorer (2962482)||(Internet Explorer) The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
|MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)||(Microsoft Office) The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file.
|MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)||(Microsoft Office) The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.
|MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)||(Microsoft Windows) The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain – a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.
|MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)||( .NET Framework) The vulnerability could allow elevation of privilege if an authenticated attacker sends specially crafted data to an affected workstation or server that uses .NET
|MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)||(Windows Shell) The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute.
|MS14-028 Vulnerabilities in iSCSI Could Allow Denial of Service (2962485)||(iSCSI) The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network.