Microsoft Security Bulletin(s) for October 14, 2014 Note: There may be latency issues due to replication, if the page does not display keep refreshing Today Microsoft released the following Security Bulletin(s). Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details. Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided. Bulletin Summary: https://technet.microsoft.com/library/security/ms14-oct Critical (3) Microsoft Security Bulletin MS14-056 Cumulative Security Update for Internet Explorer (2987107) »technet.microsoft.com/library/se···ms14-056 Microsoft Security Bulletin MS14-057 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) »technet.microsoft.com/library/se···ms14-057 Microsoft Security Bulletin MS14-058 Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) »technet.microsoft.com/library/se···ms14-058 Important (5) Microsoft Security Bulletin MS14-059 Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) »technet.microsoft.com/library/se···ms14-059 Microsoft Security Bulletin MS14-060 Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) »technet.microsoft.com/library/se···ms14-060 Microsoft Security Bulletin MS14-061 Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434 »technet.microsoft.com/library/se···ms14-061 Microsoft Security Bulletin MS14-062 Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) »technet.microsoft.com/library/se···ms14-062 Microsoft Security Bulletin MS14-063 Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) »technet.microsoft.com/library/se···ms14-063 Moderate (0) Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so. If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact For home users, no-charge support for security updates (only!) is available by calling 800-MICROSOFT (800-642-7676) in the US or 877-568-2495 in Canada. As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system. Security Tool Find out if you are missing important Microsoft product updates by using MBSA
Join members of the Trustworthy Computing team for the latest information on this month’s Microsoft Security Bulletins. Security Bulletin Webcast You can take part in the live Security Bulletin webcast on the second Wednesday of every month beginning at 11 a.m. PT . The next webcast is scheduled for Wednesday, October 15. http://technet.microsoft.com/en-US/security/dn756352
Microsoft Security Advisory Notification Issued: October 14, 2014 Security Advisories Updated or Released Today * Microsoft Security Advisory (2755801) - Title: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - »technet.microsoft.com/library/se···/2755801 - Revision Note: V30.0 (October 14, 2014): Added the 3001237 update to the Current Update section. * Microsoft Security Advisory (2871997) - Title: Update to Improve Credentials Protection and Management - »technet.microsoft.com/library/se···/2871997 - Revision Note: V4.0 (October 14, 2014): Rereleased advisory to announce the release of updates that provide additional protection for users credentials when logging on to a remote host server. See Updates Related to this Advisory and Advisory FAQ for details. * Microsoft Security Advisory (2949927) - Title: Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 - »technet.microsoft.com/library/se···/2949927 - Revision Note: V1.0 (October 14, 2014): Advisory published. * Microsoft Security Advisory (2977292) - Title: Update for Microsoft EAP Implementation that Enables the Use of TLS - »technet.microsoft.com/library/se···/2977292 - Revision Note: V1.0 (October 14, 2014): Advisory published.
Microsoft Security Bulletin Re-Releases Issued: October 14, 2014 Summary The following bulletin has undergone a major revision increment. Please see the appropriate bulletin for more details. * MS14-042 - Moderate Bulletin Information: MS14-042 - Moderate - »technet.microsoft.com/library/se···ms14-042 - Reason for Revision: V2.0 (October 14, 2014): Bulletin rereleased to announce the offering of the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this bulletin was originally released. Customers who have already successfully updated their systems do not need to take any action. - Originally posted: July 8, 2014 - Updated: October 14, 2014 - Bulletin Severity Rating: Important - Version: 2.0 --
Microsoft Security Advisory Notification Issued: October 21, 2014 Security Advisories Updated or Released Today * Microsoft Security Advisory (3010060) - Title: Vulnerability in Microsoft OLE Could Allow Remote Code Execution - »technet.microsoft.com/library/se···/3010060 - Revision Note: V1.0 (October 21, 2014): Advisory published.
Microsoft Security Advisory 3009008 Vulnerability in SSL 3.0 Could Allow Information Disclosure Published: October 14, 2014 | Updated: October 29, 2014 Version: 2.0 General Information Executive Summary Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Microsoft is announcing that SSL 3.0 will be disabled in the default configuration of Internet Explorer and across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2. Mitigating Factors: The attacker must make several hundred HTTPS requests before the attack could be successful. TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. Recommendation. Please see the Suggested Actions section of this advisory for workarounds to disable SSL 3.0. Microsoft recommends customers use these workarounds to test their clients and services for the usage of SSL 3.0 and start migrating accordingly. Revisions V1.0 (October 14, 2014): Advisory published. V1.1 (October 15, 2014): Revised advisory to include a workaround for disabling the SSL 3.0 protocol in Windows. V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008. https://technet.microsoft.com/library/security/3009008
