Tuesday, February 11, 2014

Microsoft Security Bulleting Release for February 2014


Microsoft updated the Advance Notice to include two additional critical bulletin, resulting in the release of seven (7) bulletins.  Four of the bulletins are identified as Critical with the remaining three as Important.

The security updates address 31 unique CVEs in Microsoft Windows, Internet Explorer, .NET Framework and Forefront Protection for Exchange.

In the event you have had problems with .NET in the past, it is suggested that the .NET update, MS14-009, be installed separately from the other updates with a shutdown/restart. 

Critical:

  • MS14-010 -- Cumulative Security Update for Internet Explorer (2909921)
  • MS14-011 -- Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)
  • MS14-007 -- Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)
  • MS14-008 -- Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022)

Important: 
  • MS14-009 -- Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607)
  • MS14-005 -- Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)
  • MS14-006 -- Vulnerability in IPv6 Could Allow Denial of Service (2904659)

February Security Advisory Implementation

As described in Security Advisory 2862973, usage of the MD5 hash algorithm in certificates will be restricted. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Prerequisite:  KB 2862966
Known Issues:  KB 286973

MSRT

Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  The target for February is Jenxcus, a worm coded in VBScript.

Windows XP End of Support

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Also note that after April 8, 2014, technical assistance for Windows XP will no longer be available.  This includes automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download.  Note, however, that definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.


The following additional information is provided in the Security Bulletin:

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


No comments: