Microsoft has released security updates for Windows, OneNote 2007, SQL Server 2008 and above, SharePoint Server 2013 and Windows Media Center TV Pack.
The updates and the vulnerabilities they address are described in nine bulletins. Most (26) of the vulnerabilities are memory corruption vulnerabilities fixed in a Cumulative Update for Internet Explorer. All of these bugs are critical security vulnerabilities and all are exploitable, some only on older versions of Windows. One of the vulnerabilities has already been publicly disclosed and another is being exploited in the wild in limited attacks. (With this report, Microsoft is adding a new Exploitability Index value of 0 for vulnerabilities which are already being exploited.) The bulletins:
- MS14-051: Cumulative Security Update for Internet Explorer (2976627) — This update constitutes the bulk of this Patch Tuesday. Twenty-six vulnerabilities are all rated critical on Windows clients and moderate on Windows servers. Microsoft has fixed a large number of these Internet Explorer memory corruption vulnerabilities lately.
- MS14-043: Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742) — If a user opens a specially crafted Office document that invoked Windows Media Center resources, an attacker could attain remote code execution in the context of the logged-in user. Only certain versions of Windows 7 and Windows 8.x are affected. See the bulletin for details.
- MS14-044: Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340) — Two vulnerabilities in SQL Server Master Data Services and SQL Server relational database management system could result in elevated privilege if the user visits a website that injects client script. All versions since SQL Server 2008 are affected.
- MS14-045: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615) — All versions of Windows are affected by three vulnerabilities that could result in elevation of privilege or Information Disclosure.
- MS14-046: Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625) — Microsoft .NET Framework 2.0 Service Pack 2, 3.0 Service Pack 2, 3.5, and 3.5.1 are vulnerable to a web-based attack that could bypass ASLR (Address Space Layout Randomization), facilitating remote code execution attacks through other vulnerabilities. Nearly all versions of Windows are affected.
- MS14-047: Vulnerability in LRPC Could Allow Security Feature Bypass (2978668) — A vulnerability in the handling of malformed RPC messages.
- MS14-048: Vulnerability in OneNote Could Allow Remote Code Execution (2977201) — This vulnerability could allow remote code execution if a specially crafted file is opened in Microsoft OneNote 2007 Service Pack 3.
- MS14-049: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490) — The Installer service in all versions of Windows could elevate privilege of a program attempting a repair of an already-installed file. The user must be logged on locally with valid credentials.
Note that today is the deadline for businesses to apply the Windows 8.1 update if they want to continue to receive updates from Microsoft.
Today Microsoft is also adding the ability to block old ActiveX controls to the Windows Update process. Initially, this feature will be used to block old versions of Java.
A new version of the Windows Malicious Software Removal Tool is also released today.
Finally, Microsoft has released a series of non-security updates. The details on many of them are not yet available.
- Update for Windows 7 (KB2959943) — "Another application has exclusive access to the device" error when you claim multiple devices through POS for .NET 1.14
- Update for Windows 7 and Windows Server 2008 R2 (KB2970228)
- Update for Windows 8.1 and Windows RT 8.1 (KB2971239)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2975331)
- Update for Windows 8.1 and Windows RT 8.1 (KB2978002)
- Update for Windows 8.1 and Windows RT 8.1 (KB2979500)
- Update for Windows 7 and Windows Server 2008 R2 (KB2980245)
- Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP Embedded (KB2981580) — August 2014 cumulative time zone update for Windows operating systems
- Update for Windows 8.1 and Windows RT 8.1 (KB2981655)