Ahhh, August. In Europe, shops close and businesses operate on skeleton crews with many workers out “on holiday.” In the United States, school children and teachers are gearing up for the beginning of another school year. In the southern hemisphere, winter is finally winding down and folks are looking forward to warmer weather.
And in server rooms and data centers all over the world, IT professionals are getting ready for another round of patches from Microsoft. As we noted in our Advance Notification article last week, this month’s slate of patches is nearly a particularly light nor an especially heavy one. Nine security bulletins were released, addressing thirty-sevenvulnerabilities, most of them in Windows and a few in server products (SQL Server and SharePoint Server). Only two are rated critical while the rest are classified as important.
For the official and complete low-down on these patches, be sure to check out the bulletin summary on the Microsoft web site.
MS14-05 (KB2976627) This is another cumulative security update for Internet Explorer, which includes previously released hot fixes. It applies to all currently supported versions of Microsoft’s web browser: IE 6, 7, 8, 9, 10 and 11, running on all currently supported versions of the Windows client and server operating system, except of course server core installations that don’t run a web browser. The update is rated critical on client versions of the OS and moderate on server versions.
Note that if you’re running IE 11 on Windows 8.1, RT 8.1 or Server 2012 R2, you won’t be offered this or other security updates unless update 2919355 is installed. On Windows 7 and Server 2008 R2, update 2929437 must be installed.
This update addresses 26 different vulnerabilities, one of which was disclosed publicly and the rest of which were reported privately. The main concern is remote code execution, which would allow the attacker to gain the same level of user rights as the currently logged-on user. This update fixes the problem by changing the way IE handles objects in memory and adding more permission validations.
MS14-043 (KB2978742) This update addresses a vulnerability in Windows Media Center in Windows 7 SP1, Windows 8 Pro and Windows 8.1 Pro, and also applies to the Windows Media Center TV Pack for Windows Vista (an optional component on OEM versions of Vista Home Premium and Ultimate editions). It’s rated critical on all affected operating systems.
Windows versions/editions that do not have Windows Media Center installed are not affected. That includes all server operating systems, non-Pro editions of Windows 8/8.1 and all editions of Windows RT.
The single privately reported vulnerability addressed by this update can allow remote code execution when a user opens a malicious Office file that invokes Windows Media Center. If you are unable to apply the update, a workaround is to avoid opening Office files from untrusted sources. Note that the vulnerability can’t be exploited automatically through an email message or web site visit, only by opening an attachment or downloaded file.
MCPlayer.dll is part of Windows Media Center. It manages audio/video playback. The problem is caused by the MCPlayer.dll’s failure to clean up resources after an object is deleted. This update fixes the problem by changing the way COM objects are handled in memory.
MS14-050 (KB2977202) This update addresses a vulnerability in Microsoft SharePoint Server. It affects only SharePoint Server 2013, with and without Service Pack 1. It does not affect earlier versions of SharePoint Server or SharePoint Services. It also does not affect Microsoft Web Applications. It’s rated important.
Important Note: Microsoft warns that some apps, especially if they use custom actions, may stop working after this update and you may be unable to install some apps. You will need to contact the author of the app to get an updated version that works with this update.
MS14-044 (KB2984340) This update addresses two vulnerabilities in SQL Server that were privately reported. It affects SQL Server 2008 SP3 for all systems, SQL Server 2008 R2 SP2 for all systems, SQL Server 2012 for all systems and SQL Server 2014 for x64 systems only. It does not affect earlier versions of SQL Server such as SQL Server 2005, nor does it affect SQL Server 2014 for 32 bit systems. Microsoft Data Engine (MSDE) is not affected. The update is rated important on all affected systems.
The updates will be offered to SQL clusters. You need to apply the update to active nodes first and then to passive nodes.
The more severe of these two vulnerabilities affects SQL Server Master Data Services, and could allow elevation of privilege if a user visits a specially crafted website that injects a client-side script into the user’s instance of Internet Explorer. The other is a stack overrun vulnerability that could be exploited to result in a denial of service attack. The update fixes the problem by changing the way the Master Data Services encodes output and correcting the way SQL Server handles T-SQL inquiries.
MS14-045 (KB2984615) This update addresses vulnerabilities in the Windows kernel-mode drivers. It affects all supported versions of Windows, both client and server, including server core installations. If you’re running Windows Vista, 7, 8, 8.1, RT, RT 8.1, Server 2003, 2008, 2008 R2, 2012, or 2012 R2, you need this update. It’s rated important for all affected operating systems.
You may be offered multiple update packages; you should install all updates offered.
There are three different vulnerabilities addressed by this update: a Win32k elevation of privilege vulnerability, a font double-fetch vulnerability and a windows kernel pool allocation vulnerability. The first two can be exploited to gain an elevation of privileges and the third can result in information disclosure. To exploit any of these vulnerabilities, the attacker would have to be able to log on to the system. No workarounds are provided. The update fixes the problem by correcting the way memory is allocated, the way specially crafted font files are handled in memory, and the way Windows handles thread-owned objects.
MS14-046 (KB2984625) This update addresses a vulnerability in the .NET Framework that affects all versions of the .NET Framework except versions 3.5 SP1 and 4.x running on all supported versions of the Windows operating system except Windows RT/RT 8.1. and the server core installation of Windows 2008. The rating is critical for all of the affected software.
Note that the vulnerability is present in .NET Framework 1.1 SP1 but Microsoft is not issuing an update for it because this would require significant re-architecting. Those running older releases should migrate to a newer version. Also note that you may have multiple versions of the .NET Framework installed on a system.
The single privately reported vulnerability addressed by this update is a security feature bypass that allows an attacker to circumvent the Address Space Layout Randomization (ASLR) security built into Windows, which could be combined with a remote code execution exploit to run arbitrary code and take control of a system. EMET can help to mitigate attempts to exploit this vulnerability. The update fixes the problem by ensuring that .NET Framework implements ASLR properly.
MS14-047 (KB2978668) This update addresses a vulnerability in Microsoft Remote Procedure Call (LRPC) that affects Windows 7, 8/8.1, RT/RT 8.1, Server 2008 R2, Server 2012/2012 R2, including server core installations. It does not affect Vista SP2, Server 2003 SP2 or Server 2008 SP2 (including server core installations). The update is rated important for all affected systems.
This privately reported vulnerability is another ASLR bypass vulnerability by which the LRPC server may leaks certain types of messages received from the client that have a data view attached.
The problem is caused by RPC’s improper freeing of messages that the server rejects as malformed, which can allow an attacker to fill up the address space of a process and bypass the ASLR security feature. Combined with a remote code execution exploit, this could allow the attacker to run arbitrary code. The update fixes the problem by changing the way RPC handles freeing of malformed messages.
MS14-048 (KB2977201) This update addresses a vulnerability in Microsoft OneNote that affects only OneNote 2007 SP3. Other supported versions of OneNote (2010 and 2013, including the Web app) are not affected. The update is rated important for the affected software.
There are some mitigating factors that can reduce the severity of a potential exploit. The vulnerability can’t be exploited automatically through email or by visiting a web site. The user would have to open an attachment or a file downloaded from the web site for a successful exploit. A temporary workaround would be to avoid opening OneNote files from untrusted sources.
The problem is caused by OneNote 2007’s failure to properly handle specially crafted OneNote files. A successful exploit could allow the attacker to remotely execute code and, if the logged in user has admin rights, completely take over control of the system. The update fixes the problem by correcting the way OneNote parses these files.
MS14-049 (KB2962490) This update addresses a vulnerability in the Windows Installer Service that affects all supported versions of the Windows client and server operating systems, including the server core installations. It is rated important for all affected operating systems. The threat is mitigated by the fact that an attacker has to have valid log-on credentials and must be in a position to log on locally in order to successfully carry out an exploit.
Note that in addition to fixing this vulnerability, the update also includes updates to improve some of the security features in Windows.
The problem is caused by the Windows Installer Service’s improper handling of the repair of a previously installed application, which a locally logged-on attacker could exploit to gain elevated privileges, run arbitrary code in kernel mode and completely take over control of a system. The update fixes the problem by correcting the way the Installer Service handles installation and repair.
Latest update: Microsoft recommends uninstalling problematic updates