Microsoft May 2014 Patch Tuesday - SANS Internet Storm Center

Overview of the May 2014 Microsoft patches and their status.

IMPORTANT: Don't miss MS14-029. This bulletin fixes ANOTHER vulnerability in MSIE that has already been used in targeted exploits!

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS14-021 (released May 1st)	Security Update for Internet Explorer
MS14-021 (released May 1st)	Microsoft Windows, Internet Explorer CVE-2014-1776	KB 2965111	Yes!	Severity:Critical Exploitability: 1	PATCH NOW	Critical
MS14-022	Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
MS14-022	Microsoft Server Software,Productivity Software CVE-2014-0251 CVE-2014-1754 CVE-2014-1813	KB 2952166	.	Severity:Critical Exploitability: 1,3	Important	Critical
MS14-023	Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
MS14-023	Microsoft Office CVE-2014-1756 CVE-2014-1808	KB 2961037	.	Severity:Important Exploitability: 1	Critical	Important
MS14-024	Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (ASLR Bypass)
MS14-024	Microsoft Office CVE-2014-1809	KB 2961033	Yes	Severity:Important Exploitability: NA	Important	Important
MS14-025	Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege
MS14-025	Group Policy Preferences CVE-2014-1820	KB 2962486	.	Severity:Important Exploitability: 1	Important	Important
MS14-026	Vulnerability in .NET Framework Could Allow Elevation of Privilege
MS14-026	Microsoft Windows,Microsoft .NET Framework CVE-2014-1806	KB 2958732	.	Severity:Important Exploitability: 1	Important	Important
MS14-027	Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege
MS14-027	Microsoft Windows CVE-2014-1807	KB 2962488	Yes	Severity:Important Exploitability: 1	Important	Important
MS14-028	Vulnerability in iSCSI Could Allow Denial of Service
MS14-028	iSCSI CVE-2014-0225 CVE-2014-0226	KB 2962485	.	Severity:Important Exploitability: 3	Important	Important
MS14-029	Security Update for Internet Explorer
MS14-029	Microsoft Windows, Internet Explorer CVE-2014-0310 CVE-2014-1815	KB 2962482	Yes	Severity:Critical Exploitability: 1	PATCH NOW!	Critical

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4479 Posts
ISC Handler

May 13th 2014

Acording to Microsoft MS14-029 superseeds MS14-021 (except for XP of course), so MS14-021 is not important any more.

Anonymous

Anyone have any clue why KB2871997 wasn't included in the monthly updates? Seems pretty security related to me.

https://technet.microsoft.com/library/security/2871997

Dan

9 Posts

"Note that since these changes will primarily benefit systems in an enterprise environment, this update has been made optional to consumers. Consumers who want to install this update should run the Windows Update client and select the optional update for 2871997."

It is being pushed thru WSUS.

Dean

135 Posts

Does anyone know where to get the updated common controls (ocx-files) without having a vulnerable office versions installed? What seems as a typical behaviour from Microsoft, one can't find the updated files anywhere as a downloadable package.

There still lots of older software which distribute these controls as a required part of the application. Our company is one of them and we wouldn't want to distribute vulnerable versions in case the user doesn't have Office packages installed..

Paul

13 Posts

FYI - Don't know if anyone else is experiencing this or not ... I have tried loading this page in Chrome 34.0.1847.137 m, IE 11.0.9600.17105, and Firefox 29.01 and none of them properly displays the table. In Chrome I see half of the Client column (Patc NOW, Import, Critc) with no option to scroll over to the server column. Display is almost the same in IE. In Firefox I am only seeing a portion of the Known Exploit column, also with no ability to scroll.

Robert

rstrom

7 Posts