Microsoft released eight bulletins this month – more than we’ve seen in the last few Patch Tuesdays, and the impact spans numerous software categories. The May patch load includes eight bulletins, two of which are rated critical, for a total of 13 CVEs. The busy Patch Tuesday comes on the heels of the out-of-band patch for IE, MS14-021, released by Microsoft May 1.
In this slideshow, Russ Ernst, director of product development at Lumension, takes a closer look at the patches for May and the systems they affect.
Click through for a rundown of Microsoft patches for May, provided by Russ Ernst, director of product development at Lumension.
Interestingly, a critical fix for all versions of IE is one of two critical patches on this Patch Tuesday, with bulletin MS14-029. This one covers just two CVEs as well as last week’s out of band, so it isn’t considered a cumulative update. If you haven’t gotten around to pushing out MS14-021, use MS14-029 instead.
Also a critical bulletin for this month is MS14-022. Sharepoint users will want to pay close attention as it impacts 2007, 2010, 2013 and Microsoft Web Apps, otherwise known as Office Online. This one is for three CVEs, none under public attack, and they do require social engineering aimed at your users to trigger.
MS14-023 & MS14-024: Important
The remaining bulletins are rated important and impact a wide range of software categories. MS14-023 is a possible remote code execution that hits Office for two CVEs; MS14-024 is for one CVE in Microsoft Common Control that could allow a remote code execution. This one is used by the bad guys in conjunction with other attacks; by closing the loop here, Microsoft has provided IT with a leg up against the bad guys in other still-unknown attacks. They consider it at the top of their deployment priority for this reason.
MS14-025 is a vulnerability in Group Policy Preferences that could allow an elevation of privilege. Poor design initially has allowed this to be one of the most commonly used exploits in the popular exploit kits, and customers don’t realize they shouldn’t be doing this, so Microsoft has decided to remove the feature through group policy manager. Microsoft has also posted scripts to the Knowledge Base article for this bulletin for administrators to migrate current policies and to prevent breaking environments.
MS014-26 & MS14-027: Important
MS14-026 is an elevation of privilege issue in Windows and the .NET framework. One CVE is found in this one and it is specific to .NET reporting. MS14-027 is a vulnerability in Windows Shell Handler that could allow an elevation of privilege. This important-rated bulletin covers one CVE that is under active attack.
MS14-028 is for two CVEs in iSCSI that could allow denial of service. This fix has not been extended to Windows Server 2008 due to what would be considered significant re-architectural changes for that OS. Instead, Microsoft emphasizes the use of best practices as a work-around. An upgrade to Windows Server 2008 R2 or higher will also address the issue.
Outside of Microsoft, Adobe also announced they will release security updates for Adobe Reader and Adobe Acrobat as well. They have assigned priority ratings of one for each of the four updates in the works.