Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - Microsoft May 2014 Patch Tuesday InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft May 2014 Patch Tuesday

Published: 2014-05-13
Last Updated: 2014-05-13 17:41:51 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Overview of the May 2014 Microsoft patches and their status.

IMPORTANT: Don't miss MS14-029. This bulletin fixes ANOTHER vulnerability in MSIE that has already been used in targeted exploits! 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers

MS14-021

(released May 1st)

Security Update for Internet Explorer
Microsoft Windows, Internet Explorer

CVE-2014-1776
KB 2965111 Yes! Severity:Critical
Exploitability: 1
PATCH NOW Critical
MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
Microsoft Server Software,Productivity Software
CVE-2014-0251
CVE-2014-1754
CVE-2014-1813
 
KB 2952166 . Severity:Critical
Exploitability: 1,3
Important Critical
MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Microsoft Office
CVE-2014-1756
CVE-2014-1808  
KB 2961037 . Severity:Important
Exploitability: 1
Critical Important
MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (ASLR Bypass)
Microsoft Office
CVE-2014-1809  
KB 2961033 Yes Severity:Important
Exploitability: NA
Important Important
MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege
Group Policy Preferences
CVE-2014-1820
KB 2962486 . Severity:Important
Exploitability: 1
Important Important
MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege
Microsoft Windows,Microsoft .NET Framework
CVE-2014-1806
KB 2958732 . Severity:Important
Exploitability: 1
Important Important
MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege
Microsoft Windows
CVE-2014-1807
KB 2962488 Yes Severity:Important
Exploitability: 1
Important Important
MS14-028 Vulnerability in iSCSI Could Allow Denial of Service
iSCSI
CVE-2014-0225
CVE-2014-0226
KB 2962485 . Severity:Important
Exploitability: 3
Important Important
MS14-029 Security Update for Internet Explorer
Microsoft Windows, Internet Explorer

CVE-2014-0310
CVE-2014-1815
 
KB 2962482 Yes Severity:Critical
Exploitability: 1
PATCH NOW! Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: mspatchday
5 comment(s)
Diary Archives