Microsoft Patch July 8 2014

Microsoft today released six security bulletins and updates to address the vulnerabilities disclosed in them. The updates address a total of 29 vulnerabilities.

Update at 2:20 pm ET: This story is updated below to clarify the exploitability of MS14-042.

MS14-037: Cumulative Security Update for Internet Explorer (2975687) — This update fixes 24 vulnerabilities, all of them memory corruption vulnerabilities, in every supported version of Internet Explorer. Ironically, the only IE version for which there are no critical vulnerabilities in this update is IE6 on Windows Server 2003. None of the vulnerabilities had been publicly disclosed or exploited.
MS14-038: Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) — A user who opens a specially-crafted Journal file can be exploited in their user context. All versions of Windows since Vista are affected and the vulnerability is critical on all of them. Running as a standard user limits the potential damage.
MS14-039: Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685) — When the on-screen keyboard is triggered by a malicious low-integrity process, that process could load and execute programs with the privileges of the current user. This vulnerability is rated important.
MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) — An attacker who has rights to log on locally could run a malicious program that would elevate privileges to kernel mode. This vulnerability is rated important.
MS14-041: Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) — A user could elevate privilege by running a malicious program from a low-integrity process. Running IE in immersive mode with Enhanced Protected Mode helps to mitigate this problem. This vulnerability is rated important.
MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) — A remote authenticated attacker could create and run a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system, triggering a denial of service. This vulnerability is rated moderate.

The Microsoft Exploitability Index this month's updates says that successful exploit code for 28 of the 29 vulnerabilities is "likely." The 29th is rated Moderate and therefore not rated as to exploitability.

As is usually the case, Microsoft will also release a new version of the Windows Malicious Software Removal Tool and a large collection of non-security updates to various Windows versions.

Executive Summary:

Bulletin ID	Maximum Severity Rating and Vulnerability Impact	Restart Requirement	Affected Software
Bulletin 1	Critical Remote Code Execution	Requires restart	Microsoft Windows, Internet Explorer
Bulletin 2	Critical Remote Code Execution	May require restart	Microsoft Windows
Bulletin 3	Important Elevation of Privilege	Requires restart	Microsoft Windows
Bulletin 4	Important Elevation of Privilege	Requires restart	Microsoft Windows
Bulletin 5	Important Elevation of Privilege	May require restart	Microsoft Windows
Bulletin 6	Moderate Denial of Service	Does not require restart	Microsoft Server Software

Windows Operating System and Components

Windows Server 2003
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Moderate	None	None	Important	None
Windows Server 2003 Service Pack 2	Internet Explorer 6 (Moderate) Internet Explorer 7 (Moderate) Internet Explorer 8 (Moderate)	Not applicable	Not applicable	Windows Server 2003 Service Pack 2 (Important)	Not applicable
Windows Server 2003 x64 Edition Service Pack 2	Internet Explorer 6 (Moderate) Internet Explorer 7 (Moderate) Internet Explorer 8 (Moderate)	Not applicable	Not applicable	Windows Server 2003 x64 Edition Service Pack 2 (Important)	Not applicable
Windows Server 2003 with SP2 for Itanium-based Systems	Internet Explorer 6 (Moderate) Internet Explorer 7 (Moderate)	Not applicable	Not applicable	Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Not applicable
Windows Vista
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Critical	Critical	Important	Important	Important
Windows Vista Service Pack 2	Internet Explorer 7 (Critical) Internet Explorer 8 (Critical) Internet Explorer 9 (Critical)	Windows Vista Service Pack 2 (Critical)	Windows Vista Service Pack 2 (Important)	Windows Vista Service Pack 2 (Important)	Windows Vista Service Pack 2 (Important)
Windows Vista x64 Edition Service Pack 2	Internet Explorer 7 (Critical) Internet Explorer 8 (Critical) Internet Explorer 9 (Critical)	Windows Vista x64 Edition Service Pack 2 (Critical)	Windows Vista x64 Edition Service Pack 2 (Important)	Windows Vista x64 Edition Service Pack 2 (Important)	Windows Vista x64 Edition Service Pack 2 (Important)
Windows Server 2008
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Moderate	Critical	Important	Important	Important
Windows Server 2008 for 32-bit Systems Service Pack 2	Internet Explorer 7 (Moderate) Internet Explorer 8 (Moderate) Internet Explorer 9 (Moderate)	Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical)	Windows Server 2008 for 32-bit Systems Service Pack 2 (Important)	Windows Server 2008 for 32-bit Systems Service Pack 2 (Important)	Windows Server 2008 for 32-bit Systems Service Pack 2 (Important)
Windows Server 2008 for x64-based Systems Service Pack 2	Internet Explorer 7 (Moderate) Internet Explorer 8 (Moderate) Internet Explorer 9 (Moderate)	Windows Server 2008 for x64-based Systems Service Pack 2 (Critical)	Windows Server 2008 for x64-based Systems Service Pack 2 (Important)	Windows Server 2008 for x64-based Systems Service Pack 2 (Important)	Windows Server 2008 for x64-based Systems Service Pack 2 (Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2	Internet Explorer 7 (Moderate)	Not applicable	Windows Server 2008 for Itanium-based Systems Service Pack 2 (Important)	Windows Server 2008 for Itanium-based Systems Service Pack 2 (Important)	Not applicable
Windows 7
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Critical	Critical	Important	Important	Important
Windows 7 for 32-bit Systems Service Pack 1	Internet Explorer 8 (Critical) Internet Explorer 9 (Critical) Internet Explorer 10 (Critical) Internet Explorer 11 (Critical)	Windows 7 for 32-bit Systems Service Pack 1 (Critical)	Windows 7 for 32-bit Systems Service Pack 1 (Important)	Windows 7 for 32-bit Systems Service Pack 1 (Important)	Windows 7 for 32-bit Systems Service Pack 1 (Important)
Windows 7 for x64-based Systems Service Pack 1	Internet Explorer 8 (Critical) Internet Explorer 9 (Critical) Internet Explorer 10 (Critical) Internet Explorer 11 (Critical)	Windows 7 for x64-based Systems Service Pack 1 (Critical)	Windows 7 for x64-based Systems Service Pack 1 (Important)	Windows 7 for x64-based Systems Service Pack 1 (Important)	Windows 7 for x64-based Systems Service Pack 1 (Important)
Windows Server 2008 R2
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Moderate	Critical	Important	Important	Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1	Internet Explorer 8 (Moderate) Internet Explorer 9 (Moderate) Internet Explorer 10 (Moderate) Internet Explorer 11 (Moderate)	Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical)	Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Important)	Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Important)	Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1	Internet Explorer 8 (Moderate)	Not applicable	Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Important)	Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Important)	Not applicable
Windows 8 and Windows 8.1
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Critical	Critical	Important	Important	Important
Windows 8 for 32-bit Systems	Internet Explorer 10 (Critical)	Windows 8 for 32-bit Systems (Critical)	Windows 8 for 32-bit Systems (Important)	Windows 8 for 32-bit Systems (Important)	Windows 8 for 32-bit Systems (Important)
Windows 8 for x64-based Systems	Internet Explorer 10 (Critical)	Windows 8 for x64-based Systems (Critical)	Windows 8 for x64-based Systems (Important)	Windows 8 for x64-based Systems (Important)	Windows 8 for x64-based Systems (Important)
Windows 8.1 for 32-bit Systems	Internet Explorer 11 (Critical)	Windows 8.1 for 32-bit Systems (Critical)	Windows 8.1 for 32-bit Systems (Important)	Windows 8.1 for 32-bit Systems (Important)	Windows 8.1 for 32-bit Systems (Important)
Windows 8.1 for x64-based Systems	Internet Explorer 11 (Critical)	Windows 8.1 for x64-based Systems (Critical)	Windows 8.1 for x64-based Systems (Important)	Windows 8.1 for x64-based Systems (Important)	Windows 8.1 for x64-based Systems (Important)
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Moderate	Critical	Important	Important	Important
Windows Server 2012	Internet Explorer 10 (Moderate)	Windows Server 2012 (Critical)	Windows Server 2012 (Important)	Windows Server 2012 (Important)	Windows Server 2012 (Important)
Windows Server 2012 R2	Internet Explorer 11 (Moderate)	Windows Server 2012 R2 (Critical)	Windows Server 2012 R2 (Important)	Windows Server 2012 R2 (Important)	Windows Server 2012 R2 (Important)
Windows RT and Windows RT 8.1
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	Critical	Critical	Important	Important	None
Windows RT	Internet Explorer 10 (Critical)	Windows RT (Critical)	Windows RT (Important)	Windows RT (Important)	Not applicable
Windows RT 8.1	Internet Explorer 11 (Critical)	Windows RT 8.1 (Critical)	Windows RT 8.1 (Important)	Windows RT 8.1 (Important)	Not applicable
Server Core installation option
Bulletin Identifier	Bulletin 1	Bulletin 2	Bulletin 3	Bulletin 4	Bulletin 5
Aggregate Severity Rating	None	None	Important	Important	None
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)	Not applicable	Not applicable	Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Important)	Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Important)	Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)	Not applicable	Not applicable	Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Important)	Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Important)	Not applicable
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)	Not applicable	Not applicable	Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Important)	Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Important)	Not applicable
Windows Server 2012 (Server Core installation)	Not applicable	Not applicable	Windows Server 2012 (Server Core installation) (Important)	Windows Server 2012 (Server Core installation) (Important)	Not applicable
Windows Server 2012 R2 (Server Core installation)	Not applicable	Not applicable	Windows Server 2012 R2 (Server Core installation) (Important)	Windows Server 2012 R2 (Server Core installation) (Important)	Not applicable

Windows Server Software

Microsoft Server Bus for Windows Server
Bulletin Identifier	Bulletin 6
Aggregate Severity Rating	Moderate
Microsoft Service Bus for Windows Server	Microsoft Service Bus for Windows Server (Moderate)

The Bottom Line: Restart Your Window Computers and Servers first thing Wednesday Morning!

Apple MAC and Linux users - no need

Log in to post comments
3358 reads