More

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins

    Of the seven bulletins released for June Patch Tuesday, two are rated critical and five are rated important. All together, they cover a total of 66 CVEs, but one, MS14-035, remediates 59 of those CVEs. Yes, it’s time for another IE cumulative update and this should (again) be first on your list of patching priorities for June from Microsoft. Russ Ernst, director, product management at Lumension, provides a rundown on the patches for this month.

    June Patch Summary

    MS14-035: Cumulative Security Update for Internet Explorer (2969262)
    Severity: Critical
    Restart: Requires restart
    Affects: Microsoft Windows, Internet Explorer

    MS 14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)
    Severity: Critical
    Restart: Requires restart
    Affects: Microsoft, Microsoft Office, Microsoft Lync

    MS14-034: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)
    Severity: Important
    Restart: May require restart
    Affects: Microsoft Office

    MS14-033: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)
    Severity: Important
    Restart: May require restart
    Affects: Microsoft Windows

    MS14-032: Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)
    Severity: Important
    Restart: May require restart
    Affects: Microsoft Lync Server

    MS14-031: Vulnerability in TCP Protocol Could Allow Denial of Service (2962478)
    Severity: Important
    Restart: Requires restart
    Affects: Microsoft Windows

    MS14-030: Vulnerability in Remote Desktop Could Allow Tampering (2969259)
    Severity: Important
    Restart: May require restart
    Affects: Microsoft Windows

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 1

    Click through for a rundown of the June Patch Tuesday updates from Microsoft, provided by Russ Ernst, director of product management at Lumension.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 2

    MS14-035: Critical

    Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21. This cumulative update includes a fix for the ZDI reported vulnerability and one other publicly reported vulnerability. The ZDI reported vulnerability had a limited attack surface (impacting IE 8 only) and since it was publicly reported, there are no known active attacks. In fact, none of the vulnerabilities in this month’s release are under active attack, including these two publicly reported vulnerabilities.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 3

    MS14-036: Critical

    The second critical patch this month is MS14-036. This is a far-reaching vulnerability in Microsoft Graphics component that could allow a remote code execution. The two CVEs are not currently under known attack but the impacted software list is extensive: all versions of Windows, Office, Lync and Live Meeting. Given this extensive list of impacted applications and systems, administrators should have their test systems up to date to ensure a smooth roll-out.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 4

    MS14-030: Important

    MS14-030 is a vulnerability in Remote Desktop that could allow tampering in legacy versions of Windows RDP. This important class bulletin is for one CVE and it was privately disclosed. The usefulness for a hacker is low and therefore attacks aren’t likely. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 5

    MS14-031: Important

    MS14-031 is a vulnerability in TCP protocol that could allow denial of service in Windows Vista and newer. This is a distributed denial of service scenario that could cause machines to blue screen.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 6

    MS14-032: Important

    MS14-032 is a vulnerability in Microsoft Lync 2010 and 2013 that could allow information disclosure. To exploit this vulnerability, an attacker would have to hijack a valid Lync meeting and resend the invite with a cross-site scripting attack. This requires a bit of social engineering, so don’t accept meeting requests from unknown organizers.  

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 7

    MS14-033: Important

    MS14-033 is an information disclosure vulnerability in XML Core Services. Using other products, like IE, an attacker could unwittingly get someone to disclose the contents of different directories. An attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an instant messenger request that takes users to the attacker’s website.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 8

    MS14-034: Important

    A vulnerability causing a remote code execution in Microsoft Word is addressed in MS14-034. It impacts Office 2007 and higher. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

    Microsoft Kicks Off Summer with Seven Patch Tuesday Bulletins - slide 9

    Windows Sever 2003 EOL

    Notably, MS14-036 and MS14-031 impact Windows Server 2003 so this is a good time to note its impending end of life in July, 2015. We are coming up on just a year out now and because any changes to your data center environment will likely require a significant amount of planning and work, it isn’t too soon to get that plan started.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles