4 Security Bulletins were released – 1 Critical, 3 Important, and 0 Moderate
This Month In Brief
4 Security Bulletins were released â€“ 1 Critical, 3 Important
(Security Bulletin MS14-045 rereleased – see below)
We have not uncovered any widespread problems with any security bulletins and are releasing all of them.
Note: Non-security update KB2889866 has been removed by Microsoft. We have denied it in all patch policies and will reconsider it next month.
September 9, 2014 update for OneDrive for Business (KB2889866):
MS14-052 is rated Critical. After your next patch cycle completes you should follow up and make sure this is installed.
Last month we denied KB2982791 and KB2976897 (Security Bulletin MS14-045). Microsoft replaced the bad patch (KB2982791) with KB2993651 and we have approved it in all patch policies. Although KB2976897 was implicated as a problem last month it has proven to be safe and we have approved it in all patch policies.
Security Bulletin MS14-045 rereleased
If KB2982791 was installed. If you did not block KB2982791 in your patch policy or you have Windows Auto Updates enabled and KB2982791 was installed, Microsoft recommends customers who have installed security update KB2982791, to uninstall this update. They have added additional information in the Known Issues section for the MS14-045, August 2014 update. Please see the related article: http://support.microsoft.com/kb/2982791.
Starting September 9, 2014, out-of-date ActiveX controls will be blocked on computers that have the August Cumulative security update for Internet Explorer (MS14-051) or a later update applied.
KB2991000: Update to block out-of-date ActiveX controls in Internet Explorer (http://support.microsoft.com/kb/2991000 – Note: see the section “Testing the out-of-date ActiveX controls feature”).
Additional information on the out-of-date ActiveX control blocking feature in Internet Explorer is provided here:
IE to begin blocking out of date ActiveX
TechNet landing page for out-of-date ActiveX control blocking (http://technet.microsoft.com/en-us/library/dn761713.aspx)
Microsoft Security blog: IE increases protections, implements out-of-date ActiveX control blocking (http://blogs.technet.com/b/security/archive/2014/08/13/ie-increases-protections-implements-out-of-date-activex-control-blocking.aspx
- Publically disclosed: None
- Being exploited: MS14-052
- Rated CRITICAL: MS14-052
- (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)
- Servers: Yes
- Workstations: Yes
New Security Bulletins
|MS14-052 Cumulative Security Update for Internet Explorer (2977629)||(Internet Explorer) The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
|MS14-053 Vulnerability in .NET Framework Could Allow Denial of Service (2990931)||(.Net Framework) The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website.
|MS14-054 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948)||(Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
|MS14-055 Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928)||(Lync) The most severe of these vulnerabilities could allow denial of service if an attacker sends a specially crafted request to a Lync server.