The patches released by Microsoft for the August Patch Tuesday include nine bulletins (two critical and seven important) and cover 38 CVEs. Per Russ Ernst, director of product management at Lumension, IT’s first priority should be the critical, cumulative update for IE. MS14-051 includes 25 CVEs for all supported versions of the browser. All are privately disclosed with the exception of one, CVE-2014-2819, which was publicly disclosed just last week at Black Hat. It allows an attacker to bypass the application sandbox and elevate privilege but it must be combined with another remote code execution vulnerability to ultimately be successful.
If you feel like you are constantly patching IE – you are. A cumulative update for the browser is now the rule more so than the exception. To help users keep up, Microsoft announced last week that it will support only the most recent version of IE for each supported operating system starting January 2016. In the meantime, it will offer customers migration resources and upgrade guidance.
Also last week, Microsoft said it will push out a new feature in IE that blocks ActiveX controls, including old versions of Java. This is a great security win for the enterprise and IT should consider the creation of a group policy that blocks old versions of one of the bad guys’ favorite attack vectors. That is, of course, as long as your line of business apps are not tied to older versions.
August Patch Tuesday 2014
Click through for a closer look at Microsoft’s August Patch Tuesday releases, provided by Russ Ernst, director of product management at Lumension.
MS14-051 is a critical cumulative patch for IE that covers 25 CVEs for all supported versions of the browser. All but one CVE were privately disclosed. Microsoft has also announced that beginning January 2016, it will only support the most recent version of IE for each supported operating system. Additionally, Microsoft will push out a feature that blocks ActiveX controls, including older versions of Java. See more in the commentary below.
The second critical bulletin, MS14-043 covers one privately disclosed CVE for a vulnerability in Windows 7, 8 and 8.1 when a malicious file is opened using Windows Media Center that could allow a remote code execution.
MS14-044 and MS14-050: Important
MS14-044 is for a vulnerability in SQL Server that could allow elevation of privilege. It covers two CVEs and occurs when a user visits a malicious website. MS14-050 is another server patch, in this instance Microsoft SharePoint Server. It’s a vulnerability that could allow elevation of privilege when a user installs a malicious app.
MS14-045 is for a vulnerability in kernel mode drivers that could allow elevation of privilege. This one spans all supported versions of Windows and includes three CVEs.
MS14-046 is for one privately disclosed CVE for a vulnerability in .NET framework that could allow security feature bypass. The important-class bulletin impacts Windows and Windows Server, from Vista to 8.1.
MS14-047 and MS14-048: Important
MS14-047 patches most versions of Windows for a vulnerability that could allow a security feature bypass in local remote procedure call (LRPC). And lastly, MS14-048 is a vulnerability in OneNote 2007 that could allow a remote code execution when a specially crafted file is opened.
Remember, if you rely on WSUS, Windows Intune or System Center Configuration Manager (SCCM) for patching, you must apply the Windows 8.1 update issued in April 2014 before you can get any of the above mentioned patches. Microsoft began enforcing that requirement with this Patch Tuesday release.