Microsoft Security Bulletin(s) for October 14, 2014

Discussion in 'other security issues & news' started by NICK ADSL UK, Oct 14, 2014.

  1. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Microsoft Security Bulletin(s) for October 14, 2014
    Note: There may be latency issues due to replication, if the page does not display keep refreshing

    Today Microsoft released the following Security Bulletin(s).

    Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
    Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

    Bulletin Summary:
    https://technet.microsoft.com/library/security/ms14-oct

    Critical (3)
    Microsoft Security Bulletin MS14-056 Cumulative Security Update for Internet Explorer (2987107)
    »technet.microsoft.com/library/se···ms14-056
    Microsoft Security Bulletin MS14-057
    Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)
    »technet.microsoft.com/library/se···ms14-057
    Microsoft Security Bulletin MS14-058
    Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)
    »technet.microsoft.com/library/se···ms14-058


    Important (5)
    Microsoft Security Bulletin MS14-059 Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)
    »technet.microsoft.com/library/se···ms14-059
    Microsoft Security Bulletin MS14-060
    Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)
    »technet.microsoft.com/library/se···ms14-060
    Microsoft Security Bulletin MS14-061
    Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434
    »technet.microsoft.com/library/se···ms14-061
    Microsoft Security Bulletin MS14-062
    Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)
    »technet.microsoft.com/library/se···ms14-062
    Microsoft Security Bulletin MS14-063
    Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)
    »technet.microsoft.com/library/se···ms14-063


    Moderate (0)

    Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
    If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact For home users, no-charge support for security updates (only!) is available by calling 800-MICROSOFT (800-642-7676) in the US or 877-568-2495 in Canada.
    As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.
    Security Tool
    Find out if you are missing important Microsoft product updates by using MBSA
     
    Last edited: Oct 14, 2014
  2. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Join members of the Trustworthy Computing team for the latest information on this month’s Microsoft Security Bulletins.
    Security Bulletin Webcast
    You can take part in the live Security Bulletin webcast on the second Wednesday of every month beginning at 11 a.m. PT .

    The next webcast is scheduled for Wednesday, October 15.
    http://technet.microsoft.com/en-US/security/dn756352
     
  3. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Microsoft Security Advisory Notification Issued: October 14, 2014
    Security Advisories Updated or Released Today

    * Microsoft Security Advisory (2755801)
    - Title: Update for Vulnerabilities in Adobe Flash Player in
    Internet Explorer
    - »technet.microsoft.com/library/se···/2755801
    - Revision Note: V30.0 (October 14, 2014): Added the 3001237
    update to the Current Update section.

    * Microsoft Security Advisory (2871997)
    - Title: Update to Improve Credentials Protection and Management
    - »technet.microsoft.com/library/se···/2871997
    - Revision Note: V4.0 (October 14, 2014): Rereleased advisory
    to announce the release of updates that provide additional
    protection for users credentials when logging on to a remote
    host server. See Updates Related to this Advisory and Advisory
    FAQ for details.

    * Microsoft Security Advisory (2949927)
    - Title: Availability of SHA-2 Hashing Algorithm for Windows 7
    and Windows Server 2008 R2
    - »technet.microsoft.com/library/se···/2949927
    - Revision Note: V1.0 (October 14, 2014): Advisory published.

    * Microsoft Security Advisory (2977292)
    - Title: Update for Microsoft EAP Implementation that Enables
    the Use of TLS
    - »technet.microsoft.com/library/se···/2977292
    - Revision Note: V1.0 (October 14, 2014): Advisory published.
     
  4. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Microsoft Security Bulletin Re-Releases Issued: October 14, 2014
    Summary

    The following bulletin has undergone a major revision increment.
    Please see the appropriate bulletin for more details.

    * MS14-042 - Moderate

    Bulletin Information:

    MS14-042 - Moderate

    - »technet.microsoft.com/library/se···ms14-042
    - Reason for Revision: V2.0 (October 14, 2014): Bulletin
    rereleased to announce the offering of the security update
    via Microsoft Update, in addition to the Download-Center-only
    option that was provided when this bulletin was originally
    released. Customers who have already successfully updated
    their systems do not need to take any action.
    - Originally posted: July 8, 2014
    - Updated: October 14, 2014
    - Bulletin Severity Rating: Important
    - Version: 2.0
    --
     
  5. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Microsoft Security Advisory Notification Issued: October 21, 2014
    Security Advisories Updated or Released Today

    * Microsoft Security Advisory (3010060)
    - Title: Vulnerability in Microsoft OLE Could Allow Remote Code
    Execution
    - »technet.microsoft.com/library/se···/3010060
    - Revision Note: V1.0 (October 21, 2014): Advisory published.
     
  6. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Microsoft Security Advisory 3009008
    Vulnerability in SSL 3.0 Could Allow Information Disclosure
    Published: October 14, 2014 | Updated: October 29, 2014
    Version: 2.0
    General Information
    Executive Summary
    Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.
    We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
    Microsoft is announcing that SSL 3.0 will be disabled in the default configuration of Internet Explorer and across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.
    Mitigating Factors:
    • The attacker must make several hundred HTTPS requests before the attack could be successful.
    • TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
    Recommendation. Please see the Suggested Actions section of this advisory for workarounds to disable SSL 3.0. Microsoft recommends customers use these workarounds to test their clients and services for the usage of SSL 3.0 and start migrating accordingly.
    Revisions
    • V1.0 (October 14, 2014): Advisory published.
    • V1.1 (October 15, 2014): Revised advisory to include a workaround for disabling the SSL 3.0 protocol in Windows.
    • V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.

    https://technet.microsoft.com/library/security/3009008
     
Loading...