Microsoft patches Windows, IE, Office and servers

Microsoft patches Windows, IE, Office and servers

Summary: Updates released today address a total of 37 vulnerabilities in Windows, Internet Explorer, Office, SharePoint Server 2013, the .NET Framework and SQL Server.

SHARE:
TOPICS: Security
11

Microsoft has released security updates for Windows, OneNote 2007, SQL Server 2008 and above, SharePoint Server 2013 and Windows Media Center TV Pack.

The updates and the vulnerabilities they address are described in nine bulletins. Most (26) of the vulnerabilities are memory corruption vulnerabilities fixed in a Cumulative Update for Internet Explorer. All of these bugs are critical security vulnerabilities and all are exploitable, some only on older versions of Windows. One of the vulnerabilities has already been publicly disclosed and another is being exploited in the wild in limited attacks. (With this report, Microsoft is adding a new Exploitability Index value of 0 for vulnerabilities which are already being exploited.) The bulletins:

  • MS14-051: Cumulative Security Update for Internet Explorer (2976627) — This update constitutes the bulk of this Patch Tuesday. Twenty-six vulnerabilities are all rated critical on Windows clients and moderate on Windows servers. Microsoft has fixed a large number of these Internet Explorer memory corruption vulnerabilities lately.

  • MS14-043: Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742) — If a user opens a specially crafted Office document that invoked Windows Media Center resources, an attacker could attain remote code execution in the context of the logged-in user. Only certain versions of Windows 7 and Windows 8.x are affected. See the bulletin for details.

  • MS14-044: Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340) — Two vulnerabilities in SQL Server Master Data Services and SQL Server relational database management system could result in elevated privilege if the user visits a website that injects client script. All versions since SQL Server 2008 are affected.

  • MS14-045: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615) — All versions of Windows are affected by three vulnerabilities that could result in elevation of privilege or Information Disclosure.

  • MS14-046: Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625) — Microsoft .NET Framework 2.0 Service Pack 2, 3.0 Service Pack 2, 3.5, and 3.5.1 are vulnerable to a web-based attack that could bypass ASLR (Address Space Layout Randomization), facilitating remote code execution attacks through other vulnerabilities. Nearly all versions of Windows are affected.

  • MS14-047: Vulnerability in LRPC Could Allow Security Feature Bypass (2978668) — A vulnerability in the handling of malformed RPC messages.

  • MS14-048: Vulnerability in OneNote Could Allow Remote Code Execution (2977201) — This vulnerability could allow remote code execution if a specially crafted file is opened in Microsoft OneNote 2007 Service Pack 3.

  • MS14-049: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490) — The Installer service in all versions of Windows could elevate privilege of a program attempting a repair of an already-installed file. The user must be logged on locally with valid credentials.

  • MS14-050: Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (2977202) — An authenticated user could inject JavaScript into the context of the user on a SharePoint 2013 site.

Note that today is the deadline for businesses to apply the Windows 8.1 update if they want to continue to receive updates from Microsoft.

Today Microsoft is also adding the ability to block old ActiveX controls to the Windows Update process. Initially, this feature will be used to block old versions of Java.

A new version of the Windows Malicious Software Removal Tool is also released today.

Finally, Microsoft has released a series of non-security updates. The details on many of them are not yet available.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • An Utter Outrage to allow the customer no freedom....

    "Note that today is the deadline for businesses to apply the Windows 8.1 update if they want to continue to receive updates from Microsoft."
    5735guy
    • It's a prerequisite update.

      At least it's better than Apple's method of suddenly dropping OS support without warning.
      ForeverCookie
  • Update 2

    When is Update 2 going to be released for Windows 8.1? Yes, I am calling it update 2, don't believe the rumors from Microsoft that it isn't Update 2!
    Pollo Pazzo
    • funny you should ask

      I think there isn't an Update 2, at least for a while, but there is an Update rollup released today: http://www.zdnet.com/this-months-update-rollup-for-windows-8-1-delivers-more-than-just-bug-fixes-7000032565/
      Larry Seltzer
  • SP1 again??

    I'm currently updating Win 7 SP1 and Microsoft included SP1 in the list of updates to install. I left it checked because I wasn't sure what to do. I figure my desktop won't install it if it's already there. I hope. I can always roll it back to the restore point if it doesn't work right.
    harry_dyke
    • I Tried the Email Link . . .

      . . . but an "Unknown Error" occurred!

      Larry - Perhaps you've heard something about this MS issue. I, like thousands of others, lost the ability to use MS Office (Pro in my case) in early July (on or about the 11th) after a Windows update. Initially, MS provided a fix which didn't work; they've been totally silent since. I will never again use automatic updates!

      This is my home computer (HP/Win7 Pro) and the Office suite was purchased through an employee plan at a very special price. My problem, from what I read, is they want a total Uninstall/Reinstall. I no longer work for that company so I don't have access to the installation link/code any longer. There are many others with educational or Office360 licenses experiencing the same problem - not too many corporate users are griping though. When we attempt to launch any Office application, we get a message "Something went wrong" with an online link to the MS forum.

      I write you not to help (unless you can), but to inquire why I haven't seen anything about this problem in the media? There seem to be thousands of users around the globe that are very upset and no fix after a month! I think MS needs to be pushed on this.

      Has anyone else experienced this problem?
      Gr8Music
  • SP1 Again?

    @harry_dyke... Yeah, Same here... getting a dozen or so machines that include SP1 again. Anyone that might know why? It's kind of disturbing. So, I installed all security updates except SP1 until this is addressed. Hope there's an answer....
    gizmo350
    • RE: SP1 Again?....

      I believe there was an article about this last week, that MS wants to get everyone whom has Win7 up to the SP1, Everyone whom uses Win8, up to the latestest Win8.x version. I don't remember the reasons why, I had just skimmed thru the article.

      TW :-0
      T-Wrench
  • RE: ?

    Sorry,
    Did not mean to offend!!

    8-(

    TW
    T-Wrench
  • SP 1 again

    FYI - I installed the SP 1 update on both of my SP 1 machines and experienced no ill effects. Your mileage may vary.
    harry_dyke