Wednesday, August 27, 2014

Microsoft Security Bulletin MS14-045 Re-released


Due to issues some customers had with KB 2982791, Microsoft pulled that update on August 15, 2014.  KB 2993651 has been released as a replacement.

Although the original update did not cause problems for me or for anyone in the forums where I spend time, there was considerable discussion on whether or not KB 2982791 should still be uninstalled.

As indicated in the Update FAQ of the revised bulletin on TechNet, Microsoft Security Bulletin MS14-045, even if you have not had any problems, if you have KB 2982791 installed, it should be uninstalled.

How to Uninstall KB 2982791


  • Go to Control Panel\All Control Panel Items\Windows Update\View update history
  • Click "Installed Updates".  
  • Wait while the updates load.  If you have updates sorted by the Name column, you can find KB 2982791 at the bottom of the list.

MS14-045 Update FAQ

Following is a copy of the applicable information from Update FAQ:
Why was this bulletin revised on August 27, 2014? What happened to the original 2982791 security update?

To address known issues with security update 2982791, Microsoft rereleased MS14-045 to replace the 2982791 update with the 2993651 update for all supported releases of Microsoft Windows. Microsoft expired update 2982791 on August 15, 2014. All customers should apply the 2993651 update, which replaces the expired 2982791 update. Microsoft strongly recommends that customers who have not uninstalled the 2982791 update do so prior to applying the 2993651 update.{emphasis added}


I already successfully installed the original 2982791 security update and am not experiencing any difficulties. Should I apply the replacement update (2993651) released on August 27, 2014? 
Yes. All customers should apply the 2993651 update, which replaces the expired 2982791 update. Customers do not need to uninstall the expired 2982791 update before applying the 2993651 update; however, Microsoft strongly recommends it. Customers who do not remove the expired update will retain a listing for 2982791 under installed updates in Control Panel.

I uninstalled the original 2982791 security update. Should I apply the August 27, 2014 rereleased update (2993651)?

Yes. To be protected from CVE-2014-0318 and CVE-2014-1819, all customers should apply the rereleased update (2993651), which replaces the expired 2982791 update.
What if I experienced difficulties restarting my system after installing security update 2982791? 
Customers who experienced difficulties restarting their systems after installing security update 2982791 should no longer experience this problem after installing the replacement update (2993651). For more information about the problem with update 2982791, see the Known Issues section of Microsoft Knowledge Base Article 2982791.
References:

Home
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Tuesday, August 12, 2014

Microsoft Security Bulletin Release for August 2014


Microsoft released nine (9) bulletins.  Two of the bulletins are identified as Critical with the remaining seven as Important.

The updates address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). Reminder to those who have problems with .NET updates to install separately with a restart between other updates.

Critical:

  • MS14-051 -- Cumulative Security Update for Internet Explorer (2976627) 
  • MS14-043 -- Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742) 
Important:
  • MS14-048 -- Vulnerability in OneNote Could Allow Remote Code Execution (2977201) 
  • MS14-044  -- Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340) 
  • MS14-045  -- Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2984615) 
  • MS14-049  -- Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490) 
  • MS14-050  -- Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (2977202) 
  • MS14-046  -- Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625) 
  • MS14-047 -- Vulnerability in LRPC Could Allow Security Feature Bypass (2978668)

Notes

  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.  The updated version includes Win32/Lecpetex which will assist with the detection and clean-up of this family following the recent Facebook take-down of the Lecpetex botnet.  Additional details ave available in the MMPC blog post.
  • Internet Explorer -- As noted in the Addendum to Internet Explorer begins blocking out-of-date ActiveX controls, blocking out-of-date ActiveX controls is being delayed for 30 days in order to give customers time to test and manage their environments. 
  • Windows 8.1 -- Non-security new features and improvements for Windows 8.1. will now be included with the second Tuesday of the month updates.  Additional information is available at August updates for Windows 8.1 and Windows Server 2012 R2.
  • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.
  • Other -- Changes to Internet Explorer and .NET Framework end of support dates were announced.  Refer to the references linked below.

The following additional information is provided in the Security Bulletin:

References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...



    Adobe Reader and Acrobat Security Update

    Adobe
    Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.07) and earlier versions for Windows.

    These updates address a vulnerability that could allow an attacker to circumvent sandbox protection on the Windows platform.  Adobe Reader and Acrobat for Apple's OS X are not affected.

    Release date: August 12, 2014
    Vulnerability identifier: APSB14-19
    CVE numbers: CVE-2014-0546
    Platform: Windows

    Update or Complete Download

    Update checks can be manually activated by choosing Help > Check for Updates.
      Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

      Windows XP


      If you are still using Windows XP and have Adobe Reader installed, please note that there will be no additional security updates for it.  I suggest uninstalling it and install an alternate reader.  Personally, I like Sumatra PDF.  It isn't a target and doesn't include unwanted extras with the install or updates.  (See Replacing Adobe Reader with Sumatra PDF.)  Adobe Reference:  End of support | Acrobat and Reader for Windows XP

        Enable "Protected View"

        Due to frequent vulnerabilities, it is recommended that Windows users of Adobe Reader and Acrobat ensure that Protected View is enabled.  Neither the Protected Mode or Protected View option is available for Macintosh users.

        To enable this setting, do the following:
        • Click Edit > Preferences > Security (Enhanced) menu. 
        • Change the "Off" setting to "All Files".
        • Ensure the "Enable Enhanced Security" box is checked. 

        Adobe Protected View
        Image via Sophos Naked Security Blog
        If you are looking for a replacement for Adobe Reader, consider Replacing Adobe Reader with Sumatra PDF.

        References




        Home
        Remember - "A day without laughter is a day wasted."
        May the wind sing to you and the sun rise in your heart...



        Adobe Flash Player and AIR Security Updates

        Adobe Flashplayer

        Adobe has released security updates for Adobe Flash Player 14.0.0.145 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.394 and earlier versions for Linux.

        These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system

        Internet Explorer in Windows 8x systems will be updated via Windows Update.  Windows RT must obtain the update from Windows Update.  Google Chrome will be automatically updated.


        Update Information

        The newest versions are as follows:
        ActiveX for IE and Macintosh version:  14.0.0.176
        Plugin:  14.0.0.179
        Linux: 11.2.202.400
        Users of Adobe AIR 14.0.0.110 and earlier versions for Windows and Macintosh should update to the Adobe AIR 14.0.0.178.

        Release date: August 12, 2014
        Vulnerability identifier: APSB14-18

        CVE number: CVE-2014-0538, CVE-2014-0540, CVE-2014-0541, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545

        Platform: All Platforms

        Flash Player Update Instructions

        Warning:  Although Adobe suggests downloading the update from the Adobe Flash Player Download Center, that link includes a pre-checked option to install unnecessary extras, such as McAfee Scan Plus or Google Drive.  If you use the download center, uncheck any unnecessary extras.

        It is recommended that you either use the auto-update mechanism within the product when prompted, or my preference, the direct download links.

          Notes:
          • If you use the Adobe Flash Player Download Center, be careful to uncheck any optional downloads that you do not want.  Any pre-checked option is not needed for the Flash Player update.
          • Uncheck any toolbar offered with Adobe products if not wanted.
          • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
          • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.
          • As requested by a Security Garden reader, the update information for the "Extended Release of Flash Player 11.7" can be found here. Note, however, that beginning May 13, 2014, Adobe Flash Player 13 for Mac and Windows replaced version 11.7 as the extended support version.
          Adobe Flash Player for Android

          The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.   

          Verify Installation

          To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

          Do this for each browser installed on your computer.

          To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

          References







          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          Thursday, August 07, 2014

          Microsoft Security Bulletin Advance Notice for August, 2014

          Security Bulletin
          On Tuesday, August 12, 2014, Microsoft is planning to release nine (9) bulletins.  Two of the bulletins are identified as Critical with the remaining seven as Important.

          The updates address vulnerabilities in SQL Server, SharePoint, OneNote, .NET, Microsoft Windows, and Internet Explorer.   The first of the bulletins rated critical is for all supported versions of Internet Explorer on Windows Vista, Windows 7, Windows 8 and Windows 8.1. The second critical bulletin is not applicable to Windows Vista, Windows 7 Starter and Home Basic and only critical for the Professional version of Windows 8 and 8.1.

          Windows 8.1 and Windows Server 2012 R2

          It was announced in the Windows Blog that there will not be a Windows 8.1 Update 2.  Instead, improvements and enhancements will be provided on a more frequent basis through Windows Update, Microsoft Update and Windows Server Update Services.  Some of the new features and improvements included in the update on August 12 are included in the below-referenced Windows Blog article.

          Outdated ActiveX Controls

          Update:  As posted in the IE Blog, the ActiveX blocking described below will be delayed.  
          "Addendum - 8/10/14

          We have received several questions about this update, and would like to clarify these as well as make a quick announcement.

          Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates."

          FAQ's at the bottom of the updated blog post: Internet Explorer begins blocking out-of-date ActiveX controls

          Another change to be included in the August updates is a welcome addition to Internet Explorer in which outdated ActiveX controls will be blocked.  Unfortunately, this will not apply to IE on Windows Vista, so those people with Oracle Java installed will need to continue carefully monitoring the Java install on their computer.

          The supported configurations in which the out-of-date ActiveX control blocking feature will work with are the following:
          • Windows 7 SP1, Internet Explorer 8 through Internet Explorer 11
          • Windows 8 and up, Internet Explorer for the desktop
          • All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone
          Additional details are available in the IE Blog post referenced below.

          Reminder

          As has been widely publicized, support ended for Windows XP and Office 2003 on April 8, 2014.  See Tim Rains article, The Risk of Running Windows XP After Support Ends April 2014. Note also that Microsoft Security Essentials will no longer be available for download for Windows XP.

          As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

          References




            Remember - "A day without laughter is a day wasted."
            May the wind sing to you and the sun rise in your heart...