Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Microsoft Security Bulletin Summary for October 2014

Oct 14, 2014 3:59AM PDT
Microsoft Security Bulletin Summary for October 2014

Published : October 14, 2014

Microsoft released 8 new security updates today. Three (3) are rated Critical and Five (5) as Important. The updates address 24 Common Vulnerability and Exposures (CVEs) in Microsoft Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE).

Microsoft also released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Critical: 3

MS14-056 - Cumulative Security Update for Internet Explorer (2987107)
MS14-057 - Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)
MS14-058 - Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)

Important: 5

MS14-059 - Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)
MS14-060 - Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)
MS14-061 - Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434)
MS14-062 - Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)
MS14-063 - Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)

Security Bulletin: https://technet.microsoft.com/library/security/ms14-oct

* * * * * * * * * * * * * *

As noted by Tracey Pretorius @ the Microsoft Security Response Center blog:

We also revised Security Bulletin MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) and Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

Today, Microsoft also announced upcoming updates to the out-of-date ActiveX control blocking feature. Beginning November 11, 2014, the out-of-date ActiveX control blocking feature will automatically be expanded to block outdated versions of Silverlight, in addition to outdated versions of Java. It is also being expanded to support Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008 SP2. For more information on this, please visit the IEBlog.

http://blogs.technet.com/b/msrc/archive/2014/10/14/october-2014-updates.aspx

Discussion is locked

- Collapse -
Microsoft Security Advisory (2949927)
Oct 18, 2014 7:58AM PDT
Published: October 14, 2014
Updated: October 17, 2014

Title Vulnerability in SSL 3.0 Could Allow Information Disclosure

Version: 2.0
Removed Download Center links for Microsoft security update 2949927. Microsoft recommends that customers experiencing issues uninstall this update. Microsoft is investigating behavior associated with this update, and will update the advisory when more information becomes available.

https://technet.microsoft.com/library/security/2949927
- Collapse -
Microsoft Security Advisory (3010060)
Oct 23, 2014 11:05PM PDT
Published: October 21, 2014

Title: Vulnerability in Microsoft OLE Could Allow Remote Code Execution

Version: 1.0

Summary:
Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.

See the Suggested Actions section of this advisory for more information.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

https://technet.microsoft.com/library/security/3010060

(Fix it solution covered in the Suggested Actions section, under Workarounds)
- Collapse -
Microsoft Security Advisory (3009008)
Oct 30, 2014 2:55AM PDT
Published: October 14, 2014
Updated: October 29, 2014

Title: Vulnerability in SSL 3.0 Could Allow Information Disclosure

Revision Note: V2.0 (October 29, 2014):

Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.

https://technet.microsoft.com/library/security/3009008
- Collapse -
Note regarding Microsoft Fix It Solution for IE ...
Oct 30, 2014 9:42AM PDT

Tracey Pretorius writes in her blog post ( Security Advisory 3009008 revised ) at the Microsoft Security Response Center:

"Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE)."

At the very bottom she adds:

'This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.'

Continued : http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx