Thursday, August 07, 2014

Microsoft Security Bulletin Advance Notice for August, 2014

Security Bulletin
On Tuesday, August 12, 2014, Microsoft is planning to release nine (9) bulletins.  Two of the bulletins are identified as Critical with the remaining seven as Important.

The updates address vulnerabilities in SQL Server, SharePoint, OneNote, .NET, Microsoft Windows, and Internet Explorer.   The first of the bulletins rated critical is for all supported versions of Internet Explorer on Windows Vista, Windows 7, Windows 8 and Windows 8.1. The second critical bulletin is not applicable to Windows Vista, Windows 7 Starter and Home Basic and only critical for the Professional version of Windows 8 and 8.1.

Windows 8.1 and Windows Server 2012 R2

It was announced in the Windows Blog that there will not be a Windows 8.1 Update 2.  Instead, improvements and enhancements will be provided on a more frequent basis through Windows Update, Microsoft Update and Windows Server Update Services.  Some of the new features and improvements included in the update on August 12 are included in the below-referenced Windows Blog article.

Outdated ActiveX Controls

Update:  As posted in the IE Blog, the ActiveX blocking described below will be delayed.  
"Addendum - 8/10/14

We have received several questions about this update, and would like to clarify these as well as make a quick announcement.

Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates."

FAQ's at the bottom of the updated blog post: Internet Explorer begins blocking out-of-date ActiveX controls

Another change to be included in the August updates is a welcome addition to Internet Explorer in which outdated ActiveX controls will be blocked.  Unfortunately, this will not apply to IE on Windows Vista, so those people with Oracle Java installed will need to continue carefully monitoring the Java install on their computer.

The supported configurations in which the out-of-date ActiveX control blocking feature will work with are the following:
  • Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
  • Windows 8 and up, Internet Explorer for the desktop
  • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone
Additional details are available in the IE Blog post referenced below.


As has been widely publicized, support ended for Windows XP and Office 2003 on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014. Note also that Microsoft Security Essentials will no longer be available for download for Windows XP.

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    No comments: