Tuesday, May 13, 2014

Microsoft Security Bulletin for May 2014


Microsoft released eight (8) bulletins.  Two of the bulletins are identified as Critical with the remaining six as Important.

The updates address 13 Common Vulnerability & Exposures (CVEs) in .NET Framework, Office, SharePoint, Internet Explorer, and Windows.

Regarding .NET Framework MS14-026, if you have had problems with it in the past, it is advised that you install that update separately, followed by a shutdown/restart.

Please refer to the MSRC Blog post, linked below, for information regarding new and updated Security Advisories, Security Advisory 2871997, Security Advisory 2960358 and Security Advisory 2962824.

Critical:

  • MS14-029 -- Security Update for Internet Explorer (2962482)
  • MS14-022 -- Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
Important:
  • MS14-023 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)
  • MS14-025 -- Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)
  • MS14-026 -- Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)
  • MS14-027 -- Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) 
  • MS14-028 -- Vulnerability in iSCSI Could Allow Denial of Service (2962485)
  • MS14-028 -- Vulnerability in iSCSI Could Allow Denial of Service (2962485)
     

MSRT

Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.


Windows XP and Windows 8.1

As has been widely publicized, support for Windows XP and Office 2003 have ended.  Thus, there will be no further security updates for those products.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.

Although Microsoft has stopped providing Microsoft Security Essentials for download, that definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.

Important note for Windows 8.1 users:  Windows 8.1 Update Requirement Extended


____________

The following additional information is provided in the Security Bulletin:

References




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...




Adobe Flash Player Critical Security Update

Adobe Flashplayer

Adobe has released security updates for Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.356 and earlier versions for Linux.

With today's Windows Update, Internet Explorer 10 and 11 in Windows 8 and Windows 8.1 will be updated.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.



Update Information

The newest versions are as follows:
Windows and Macintosh:  13.0.0.214
Linux: 11.2.202.359
Users of the Adobe AIR 13.0.0.83 SDK and earlier versions should update to the Adobe AIR 13.0.0.111 SDK.

Release date: May 13, 2014
Vulnerability identifier: APSB14-14

CVE number: CVE-2014-0510, CVE-2014-0516, CVE-2014-0517, CVE-2014-0518, CVE-2014-0519, CVE-2014-0520
Platform: All Platforms

Flash Player Update Instructions

Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

    Notes:
    • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
    • Uncheck any toolbar offered with Adobe products if not wanted.
    • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
    • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
    • As requested by a Security Garden reader, the update information for the "Extended Release of Flash Player 11.7" can be found here. Note, however, that beginning May 13, 2014, Adobe Flash Player 13 for Mac and Windows will replace version 11.7 as the extended support version.
    Adobe Flash Player for Android

    The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

    Verify Installation

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

    Do this for each browser installed on your computer.

    To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

    References







    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    Adobe Reader Critical Security Update

    Adobe
    Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.06) and earlier versions for Windows and Macintosh.  These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.


    Release date: May 13, 2014
    Vulnerability identifier: APSB14-15
    CVE numbers: CVE-2014-0511, CVE-2014-0512, CVE-2014-0521, CVE-2014-0522, CVE-2014-0523, CVE-2014-0524, CVE-2014-0525, CVE-2014-0526, CVE-2014-0527, CVE-2014-0528, CVE-2014-0529
    Platform: Windows and Macintosh

    Update or Complete Download

    Update checks can be manually activated by choosing Help > Check for Updates.
      Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

      Windows XP


      If you are still using Windows XP and have Adobe Reader installed, please note that there will be no additional security updates for it.  I suggest uninstalling it and install an alternate reader.  Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  (See Replacing Adobe Reader with Sumatra PDF.)  Adobe Reference:  End of support | Acrobat and Reader for Windows XP

        Enable "Protected View"

        Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

        To enable this setting, do the following:
        • Click Edit > Preferences > Security (Enhanced) menu. 
        • Change the "Off" setting to "All Files".
        • Ensure the "Enable Enhanced Security" box is checked. 

        Adobe Protected View
        Image via Sophos Naked Security Blog
        If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

        References




        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...



        Thursday, May 08, 2014

        Security Bulletin Advance Notice for May, 2014

        Security Bulletin
        On Tuesday, May 13, 2014, Microsoft is planning to release eight (8) bulletins.  Two of the bulletins are identified as Critical with the other six as Important.

        The updates address vulnerabilities in Microsoft Windows, Office, Internet Explorer and .NET Framework. 

        Note:  In the event you have had problems with .NET Framework in the past, it is advised that it be installed separately with a shutdown/restart. 

        If you've run into the situation where install an update for the Microsoft .NET Framework 4 takes a long time, consider the Microsoft Fix it solutions located in Installing updates for the Microsoft .NET Framework 4 can take longer than expected in some scenarios.

        Reminder

        As has been widely publicized, support ended for Windows XP and Office 2003 on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014. Note also that Microsoft Security Essentials will no longer be available for download for Windows XP.

        As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

        References




        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...





        Thursday, May 01, 2014

        Out of Band Security Update for IE Zero-Day Vulnerability


        Microsoft released an out-of-band security update to address the security vulnerability in Internet Explorer described in Microsoft  Security Advisory 2963983.

        Of important note:  Although Windows XP is no longer supported by Microsoft, the decision was made to issue a security update for Windows XP users.

        Critical:

        • MS14-021 -- Security Update for Internet Explorer (2965111) 

          This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


          References




          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...