Microsoft Updates MS14-066
Microsoft updated MS14-066 to warn users about some problems caused by the additional ciphers added with the update [1]. It appears that clients who may not support these ciphers may fail to connect at all. The "quick fix" is to remove the ciphers by editing the respective registry entry (see the KB article link below for more details).
One user reported to us performance issues when connecting from MSFT Access to SQL Server, which are related to these ciphers.
Sadly, MS14-066 hasn't been Microsoft's best vulnerability announcement. The initial bulletin omitted important details (like the impact of the certificate bypass vulnerability). So far, a total of 3 vulnerabilities are being discussed in conjunction with MS14-066, while the bulletin only lists one CVE number. How the bug was disclosed has also caused confusion, with some Microsoft publications listing external discovery (but private disclosure) and others indicating internal disclosure.
[1] https://support.microsoft.com/kb/2992611
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Damn the torpedoes, full speed ahead! I cannot wait to see what tomorrow brings on this front as I have a funeral to attend at noon. I've made significant progress in patching though I've still two more non-internet exposed servers to go.
Overall, I've had good luck in my test environment and client's production environments so far.
Anonymous
Nov 16th 2014
1 decade ago
https://support.microsoft.com/kb/2992611
without actually updating the MS14-066 bulletin
https://technet.microsoft.com/library/security/ms14-066
(that still does not mention "known issues").
Anonymous
Nov 17th 2014
1 decade ago
Anonymous
Nov 17th 2014
1 decade ago
Reading many articles I see not only issues with MS updates but also Flash, Oct. 31 their version crunched my machine and oddly enough couple of weeks later out came a new shiny version.
I wish I could say, going to get better but it is not. We were fed the rouse update XP to VIsta, then 7, then 8 blah, blah that it will be much better. Well, seems the old age issue, put out crap code and react to it. Combine this with companies that are >90% clueless about security and we will continue to have "cracked links" in the chain and be REactive.
Fortunately, we have places like this to be PROactive,
Best to all...
ICI2I
Anonymous
Nov 17th 2014
1 decade ago
MS14-066 Advisory
- https://aws.amazon.com/security/security-bulletins/ms14-066-advisory/
2014/11/14 5:30PM PST - "We are continuing to investigate the reported issues with the patch that was supplied for MS14-066. This updated status is being provided for the service below. We will continue to update this Security Bulletin for the other services previously identified as more information becomes available.
Amazon Relational Database Service (RDS):
Amazon RDS will build and deploy any required updates to affected RDS SQL Server instances. Any needed updates will require a restart of the RDS database instance. Communication of the specific timing of the update for each instance will be communicated via email or AWS Support directly to customers prior to any instance restart...
We will continue provide updates to this security bulletin.
___
WinShock (KB2992611) Patch breaks IIS
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/218cf562-3dab-4d09-adcc-74f65d0f29f1/winshock-kb2992611-patch-breaks-iis?forum=winserversecurity
Last entry (as of date/time of this post): Nov 16, 2014 12:01 AM
.
Anonymous
Nov 17th 2014
1 decade ago
I told them that not only was I protecting them against something that most likely will happen with little or no warning. I also told them that I went ahead and installed all of the prerequisites needed for an accounting system upgrade we'll be doing in a few months while I was in there protecting them from MS14-066 which made them happy to hear that. Is that not what maintenance windows are for?
Of course, I also mentioned how a friend of mine and his IT department spent a whole lot of time flushing Conflicker out of their network months after MS released the patch while the whole business reverted back to pen and paper to function. Of course, I had my network patched and ready for it and was resting on my laurels. I really hate deploying patches so quickly, but sometimes the potential risk warrants doing it.
I just live with it when a patch takes out something. I will say iOS 8.x has not been kind to me, but each new release gets my iPad working better.
Anonymous
Nov 17th 2014
1 decade ago
http://blog.beyondtrust.com/triggering-ms14-066
Anonymous
Nov 17th 2014
1 decade ago
Anonymous
Nov 17th 2014
1 decade ago