My next class:

Microsoft May 2014 Patch Tuesday

Published: 2014-05-13. Last Updated: 2014-05-13 17:41:51 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Overview of the May 2014 Microsoft patches and their status.

IMPORTANT: Don't miss MS14-029. This bulletin fixes ANOTHER vulnerability in MSIE that has already been used in targeted exploits! 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers

MS14-021

(released May 1st)

Security Update for Internet Explorer
Microsoft Windows, Internet Explorer

CVE-2014-1776
KB 2965111 Yes! Severity:Critical
Exploitability: 1
PATCH NOW Critical
MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
Microsoft Server Software,Productivity Software
CVE-2014-0251
CVE-2014-1754
CVE-2014-1813
 
KB 2952166 . Severity:Critical
Exploitability: 1,3
Important Critical
MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Microsoft Office
CVE-2014-1756
CVE-2014-1808  
KB 2961037 . Severity:Important
Exploitability: 1
Critical Important
MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (ASLR Bypass)
Microsoft Office
CVE-2014-1809  
KB 2961033 Yes Severity:Important
Exploitability: NA
Important Important
MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege
Group Policy Preferences
CVE-2014-1820
KB 2962486 . Severity:Important
Exploitability: 1
Important Important
MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege
Microsoft Windows,Microsoft .NET Framework
CVE-2014-1806
KB 2958732 . Severity:Important
Exploitability: 1
Important Important
MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege
Microsoft Windows
CVE-2014-1807
KB 2962488 Yes Severity:Important
Exploitability: 1
Important Important
MS14-028 Vulnerability in iSCSI Could Allow Denial of Service
iSCSI
CVE-2014-0225
CVE-2014-0226
KB 2962485 . Severity:Important
Exploitability: 3
Important Important
MS14-029 Security Update for Internet Explorer
Microsoft Windows, Internet Explorer

CVE-2014-0310
CVE-2014-1815
 
KB 2962482 Yes Severity:Critical
Exploitability: 1
PATCH NOW! Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: mspatchday
5 comment(s)
My next class:

Comments

Acording to Microsoft MS14-029 superseeds MS14-021 (except for XP of course), so MS14-021 is not important any more.
Anyone have any clue why KB2871997 wasn't included in the monthly updates? Seems pretty security related to me.

https://technet.microsoft.com/library/security/2871997
"Note that since these changes will primarily benefit systems in an enterprise environment, this update has been made optional to consumers. Consumers who want to install this update should run the Windows Update client and select the optional update for 2871997."

It is being pushed thru WSUS.
Does anyone know where to get the updated common controls (ocx-files) without having a vulnerable office versions installed? What seems as a typical behaviour from Microsoft, one can't find the updated files anywhere as a downloadable package.

There still lots of older software which distribute these controls as a required part of the application. Our company is one of them and we wouldn't want to distribute vulnerable versions in case the user doesn't have Office packages installed..
FYI - Don't know if anyone else is experiencing this or not ... I have tried loading this page in Chrome 34.0.1847.137 m, IE 11.0.9600.17105, and Firefox 29.01 and none of them properly displays the table. In Chrome I see half of the Client column (Patc NOW, Import, Critc) with no option to scroll over to the server column. Display is almost the same in IE. In Firefox I am only seeing a portion of the Known Exploit column, also with no ability to scroll.

Robert

Diary Archives