Microsoft released eight security bulletins, which address 13 Common Vulnerability & Exposures (CVEs) in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. Microsoft's Dustin Childs recommended first deploying MS14-024, MS14-025 and MS14-029.
MS14-022 fixes privately reported RCE vulnerabilities in Microsoft SharePoint Server 2007 SP 3, SharePoint Server 2010 and 2013 as well as Office Web Apps 2010 and 2013. According to Andrew Storms, director of DevOps at CloudPassage, "SharePoint is one of those critical back-end office servers, in the same bucket as Exchange and SQL Server. So it will be important to move gingerly and important to test properly before deploying it."
Although Microsoft issued an out-of-band patch to protect users from the Internet Explorer zero-day in the wild exploit and included Windows XP, that was the end of it for XP users. MS14-029 is also "critical" but patches a different RCE hole in all supported versions of IE. Like the other IE patch, restarting is required after this one.
MS14-023 resolves two privately reported RCE vulnerabilities in Microsoft Office.
MS14-024, recommended as a priority for deployment, fixes a privately reported flaw that could allow security feature bypass. Affected software includes Office 2007 SP 3, Office 2010 SP 1 and SP 2, Office 2013 and Office 2013 RT.
The next three patches fix elevation of privilege (EoP) bugs.
MS14-025 was also deemed a deployment priority by Microsoft for "Windows Vista, Windows 7, Windows 8, and Windows 8.1 Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2."
MS14-026, is important to fix a privately reported EoP flaw in Microsoft .NET Framework. Affected software includes: "Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, and Microsoft .NET Framework 4.5.1 on affected releases of Microsoft Windows."
MS14-027 resolves a flaw in Windows shell handler, so count on needing to reboot after patching.
Lastly MS14-028 needs deployed for Windows Server 2008 SP 2 (Windows Storage Server 2008 only), Windows Server 2008 R2, Server 2012 and 2012 R2 to plug two privately reported holes that could allow denial of service. Windows Server 2012 and 2012 R2 have a Server Core installation option.
3 new, 1 revised Microsoft Security Advisories
Additionally, Microsoft issued three new security advisories and revised one. Security Advisory 2960358 disables RC4 in .NET Framework's Transport Layer Security. Security Advisory 2871997 is aimed at Windows 8 and Windows Server 2012 to enhance "credential protections and domain authentication controls to reduce credential theft." Although Security Advisory 2962824 revokes one private, third-party Unified Extensible Firmware Interface (UEFI) module, Microsoft said it is exercising "an abundance of caution" as it is "not currently aware of any customer impact." Lastly, Security Advisory 2755801 was revised with the latest update for Adobe Flash Player in IE.
Regarding the required Windows 8.1 Update, Microsoft has pushed back the deadline another month. "While we believe the majority of people have received the update, we recognize that not all have," wrote Microsoft's Brandon LeBlanc. "As a result, we've decided to extend the requirement for our consumer customers to update their devices to the Windows 8.1 Update in order to receive security updates another 30 days to June 10th. As noted previously, consumer customers who do not update their Windows 8.1 devices to the Windows 8.1 Update by this new deadline will no longer receive updates." If you plan to install it manually, then you should read this.
If you like the deployment priority graphic, you are out of luck as Microsoft chose not to offer it this month. At any rate, happy patching!
Like this? Here's more posts:
- Judge to Microsoft: Hand over cloud data no matter where in the world it is stored
- Targeted ads that track how and where you drive are coming to connected cars
- Data breach report: 9 attack patterns describe 92% of 100,000 security incidents
- Record and rewind: Cops quietly test aerial surveillance to track crime
- Smart toilet spying on health is a hoax, but is there privacy in a public potty?
- No reasonable expectation of privacy when third parties cross the creepy line?
- USA world rankings: #1 for sending spam, #8 for Netflix streaming speeds
- Microsoft shares 2 cybersecurity papers to protect infrastructure and supply chain
Follow me on Twitter @PrivacyFanatic