20141015. Microsoft released 8 security patches in October 15
Hello everyone, we are the security support team of Microsoft Greater China.
Microsoft released eight new security bulletins on July 15, October 15, 2014, Beijing time. Three of them are severity levels and five are critical levels. A total of Windows, Office, NET Framework, and ASP are fixed.. NET and Internet Explorer (IE. As in the past, we recommend that you install all updates. for users who only use some updates for the time being, we recommend that you first deploy security bulletins with a "severe" level.
The MS14-056 addresses 14 secret reporting vulnerabilities in Internet Explorer. The most serious vulnerability may allow remote code execution when users use Internet Explorer to view specially crafted webpages. Attackers who successfully exploit these vulnerabilities can obtain the same user permissions as the current user.
The MS14-057 addresses three of Microsoft. NET Framework's secret reporting vulnerabilities. If attackers send a special URI request containing international characters to. NET Web applications, the most serious vulnerability may allow remote code execution.
The MS14-058 addresses two secret reporting vulnerabilities in Microsoft Windows. If attackers trick users into opening special documents or accessing untrusted websites that contain embedded TrueType fonts, a serious vulnerability may allow remote code execution.
Microsoft released three security reports this month:
Update to improve credential Protection and Management (2871997)
Microsoft announced updates to supported versions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1, enhanced credential protection and domain authentication controls to reduce credential theft.
Provides SHA-2 Hashing for Windows 7 and Windows Server 2008 R2 (2949927)
Microsoft announced an update for all supported versions of Windows 7 and Windows Server 2008 R2 to add SHA-2 signature and verification support. Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update because the SHA-2 signature and verification features are included in these operating systems. This update is not applicable to Windows Server 2003, Windows Vista, or Windows Server 2008.
Supports Microsoft EAP update using TLS (2977292)
Microsoft announced that Microsoft's scalable authentication protocol (EAP) implementation is applicable to Windows 7, Windows Server 2008 R2, and Windows 8, supported versions of Windows 8.1, Windows Server 2012, and Windows RT. This update supports using Transport Layer Security (TLS) 1.1 or 1.2 by modifying the system registry key.
Microsoft also fixed a security bulletin:
Security Bulletin MS14-042| Vulnerabilities in Microsoft Service Bus may allow DoS
This security update addresses a publicly disclosed vulnerability in Microsoft Service Bus for WindowsServer. If an authenticated remote attacker creates and runs a program to send a series of specially crafted Advanced Message Queue Service protocol (AMQP) messages to the target system, the vulnerability may allow dos. The purpose of this announcement is to announce the provision of security updates through Microsoft Update in addition to the "Download-only center" option provided when the announcement was initially released. Customers who have successfully updated their systems do not need to perform any operations.
At the same time, Microsoft also corrected a security notification:
Security notice 2755801| Vulnerability updates in Adobe Flash Player in Internet Explorer
Microsoft announced the release of Adobe Flash Player Updates for supported versions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server2012 R2, and Windows RT 8.1 on Internet Explorer. This update resolves the vulnerability by updating the affected Adobe Flash library contained in Internet Explorer 10 and Internet Explorer 11. October 14, 2014, microsoft released an update (2012) for Internet Explorer 10 on Windows 8, Windows Server 8.1, and Windows RT, and Internet Explorer 11 on Windows 2012, Windows Server 8.1 R2, and Windows RT 3001237). The update addresses the vulnerability described in the Adobe Security Bulletin APSB14-22.
At the same time, Microsoft announced the upcoming update to block functions of ActiveX Controls of earlier versions. From January 1, November 12, 2014, in addition to the old Java version, the old version of Silverlight will also be blocked. This feature also supports Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008 SP2. For more information, visit IEBlog.
The following table lists the security bulletins for this month (sorted by severity)
Announcement ID |
Announcement title and summary |
Highest severity level and vulnerability impact |
Restart requirements |
Affected Software |
MS14-056 |
Accumulative Security Update of Internet Explorer (2987107) |
Severe |
Restart required |
Microsoft Windows, |
MS14-057 |
. NET Framework vulnerabilities may allow remote code execution (3000414) This security update addresses the vulnerabilities in the three secret reports of Microsoft. NET Framework. If an attacker sends a special URI request containing international characters to a. NET Web application, the most serious vulnerability may allow remote code execution. In. NET 4.0 applications, the vulnerable feature (iriParsing) is disabled by default. To exploit this vulnerability, the application must explicitly enable this feature. In. NET 4.5 Applications, iriParsing is enabled by default and cannot be disabled. |
Severe |
May require restart |
Microsoft Windows, |
MS14-058 |
Vulnerabilities in kernel-mode drivers may allow remote code execution (3000061) This security update addresses two secret reporting vulnerabilities in Microsoft Windows. If attackers trick users into opening special documents or accessing untrusted websites that contain embedded TrueType fonts, a serious vulnerability may allow remote code execution. However, in all circumstances, attackers cannot force users to perform these operations. On the contrary, attackers must persuade the user to do so by allowing the user to click the link in the email or Instant Messenger message. |
Severe |
Restart required |
Microsoft Windows |
MS14-059 |
Vulnerabilities in ASP. net mvc may allow security bypass (2990942) This security update addresses a publicly disclosed vulnerability in ASP. net mvc. If attackers trick users into clicking a special link or accessing a webpage containing specially crafted content intended to exploit the vulnerability, the vulnerability may allow attackers to bypass security features. In Web-based attacks, attackers may have a special website designed to exploit vulnerabilities through Web browsers, and then entice users to view the website. Attackers may also exploit compromised websites and websites that accept or host user-provided content or advertisements. These websites may contain special content that can be used to exploit this vulnerability. However, in all circumstances, attackers cannot force users to view content controlled by attackers. On the contrary, attackers must trick users into taking actions by allowing users to click a link in an email or Instant Messenger message to link users to the attacker's website, you can also open attachments sent by email. |
Important |
May require restart |
Microsoft development tools |
MS14-060 |
Vulnerabilities in Windows OLE may allow remote code execution (3000869) This security update resolves a secret report vulnerability in Microsoft Windows. If you open a Microsoft Office file containing a special OLE object, this vulnerability may allow remote code execution. Attackers who successfully exploit this vulnerability can run arbitrary code in the context of the current user. If the current user logs on with administrative user permissions, the attacker can install the program, view, change or delete data, or create a new account with full user permissions. Users with fewer user permissions configured for accounts are less affected than users with lower user permissions. |
Important |
May require restart |
Microsoft Windows |
MS14-061 |
Vulnerabilities in Microsoft Word and Office Web Apps may allow remote code execution (3000434) This security update resolves a secret report vulnerability in Microsoft Office. If attackers trick users into opening a specially crafted Microsoft Word file, this vulnerability may allow remote code execution. Attackers who successfully exploit this vulnerability can obtain the same user permissions as the current user. If the current user logs on with the administrative user permission, the attacker can install the procedure, view, change or delete data, or create a new account with full user permissions. Users with fewer user permissions configured for accounts are less affected than users with lower user permissions. |
Important |
May require restart |
Microsoft Office, |
MS14-062 |
Vulnerabilities in Message Queue Service may allow Elevation of Privilege (2993254) This security update resolves a publicly disclosed vulnerability in Microsoft Windows. If attackers send specially crafted input/output control (IOCTL) requests to the Message Queue Service, this vulnerability may allow Elevation of Privilege. By exploiting this vulnerability, you can fully access the affected system. By default, MQ components are not installed on any affected operating system versions, but are only enabled by users with administrative privileges. Only customers who manually enable the "Message Queue Service" component can be affected by this problem. |
Important |
Restart required |
Microsoft Windows |
MS14-063 |
The vulnerability in the FAT32 disk partition driver may allow Elevation of Privilege (2998579) This security update resolves a secret report vulnerability in Microsoft Windows. A privilege escalation vulnerability exists in the way that the driver of Windows FASTFAT interacts with the FAT32 disk partition. Successful exploits allow attackers to execute arbitrary code with elevated privileges. |
Important |
Restart required |
Microsoft Windows |
Microsoft will broadcast a network at eleven o'clock A.M., January 1, October 15, 2014 (US and Canada Pacific time) to answer your questions about these announcements. Register now and apply to listen to the security announcement network broadcast in July.
For details, refer to the summary of the Security Announcement on April 1:
Https://technet.microsoft.com/en-us/library/security/ms14-oct
Microsoft Security response center blog article (English ):
Http://blogs.technet.com/ B /msrc/archive/2014/10/14/october-2014-updates.aspx
Microsoft Greater China Security Support Team