Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th. We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers. The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP. Overview of the May 2014 Microsoft patches and their status.
We will update issues on this page for about a week or so as they evolve.
We appreciate updates US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches. [1] https://technet.microsoft.com/en-us/library/security/ms14-may.aspx ------ |
Johannes 4043 Posts ISC Handler May 1st 2014 |
||||||||||||||||||||||
Thread locked Subscribe |
May 1st 2014 6 years ago |
||||||||||||||||||||||
A most welcome news, to be certain. Thanks for the update Johannes :)
|
ChrisHolland 3 Posts |
||||||||||||||||||||||
Quote |
May 1st 2014 6 years ago |
||||||||||||||||||||||
Download links in the bulletin for at least IE6 and 7 on Windows XP SP3 work and will download a standalone update. The WinXP-SP3 IE8 link appears broken when I tried it, but I expect that will be fixed soon enough.
|
Brian Bartlett 5 Posts |
||||||||||||||||||||||
Quote |
May 1st 2014 6 years ago |
||||||||||||||||||||||
Kudos to Microsoft for the quick patch. However, I have a mixed reaction to it issuing a patch for XP, which will happen, according to the security bulletin. I'm happy for my few remaining XP users. I'm chagrined because I have been assuring users for some time that the April 8th patches were absolutely, positively the last that would be issued for XP. This waffling makes Microsoft look indecisive, and can only create expectations that more XP patches are forthcoming. I really don't mind if MS makes itself look bad. However, in the process it has also undermined the credibility of those of us who told our users that the April 8 deadline was real. I'm more than a bit miffed at that.
-SAM |
Brian Bartlett 10 Posts |
||||||||||||||||||||||
Quote |
May 1st 2014 6 years ago |
||||||||||||||||||||||
I read in the Technet article that the most recent cumulative update for IE is a prerequisite for this patch to avoid certain compatibility issues. That would be MS14-018 or MS14-012 depending on the version of IE being updated, if I remember correctly.
G |
Gavin 4 Posts |
||||||||||||||||||||||
Quote |
May 2nd 2014 6 years ago |
||||||||||||||||||||||
I guess that this is available for Windows XP because it is a patch to Internet Explorer, not Windows, and the same version of IE is available for Windows 2003 Server which is still supported.
patermann |
patermann 35 Posts |
||||||||||||||||||||||
Quote |
May 2nd 2014 6 years ago |
||||||||||||||||||||||
Quoting Anonymous:However, I have a mixed reaction to it issuing a patch for XP, which will happen, according to the security bulletin. I'm happy for my few remaining XP users. I'm chagrined because I have been assuring users for some time that the April 8th patches were absolutely, positively the last that would be issued for XP. This waffling makes Microsoft look indecisive, and can only create expectations that more XP patches are forthcoming. I really don't mind if MS makes itself look bad. However, in the process it has also undermined the credibility of those of us who told our users that the April 8 deadline was real. I'm more than a bit miffed at that. Nothing new of the wobble of MS SAM. However, like you, I am pleased they did this for the XP users for this reason only. MS has known for years about this issue, long before Vista, 7, 8 et all. One of the many reasons few (like myself) use I.E. Contemporaneously speaking, sad that the GOV did not hold MS accountable for this security issue long ago. Like Java folly, it takes the GOV to say stop using it before companies "smell the coffee" Now the GOV should tack on fee's to these companies when the use lethargic mode in fixing. Regards.. |
ICI2I 63 Posts |
||||||||||||||||||||||
Quote |
May 2nd 2014 6 years ago |
||||||||||||||||||||||
Heck, government's one of the worst offenders. Not only does our state gov have web apps that towns are required to use that work ONLY in IE, but they actually distribute systems to certain local entities and *require* them to run them - they're still on XP. But "it's ok because they're on a VPN." 0_o
|
Jaybone 27 Posts |
||||||||||||||||||||||
Quote |
May 2nd 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!