Microsoft only published 8 instead of the promised 9 bulletins. Also, of particular interest is MS14-060 which was pre-announced by iSight Partners. iSight has seen this vulnerability exploited in some "APT" style attacks against NATO/US military interests and attributes these attacks to Russia. Attacks like this have happened with many Office vulnerabilities in the past, but it is unusual for a company to announce the respective attacks and CVE numbers ahead of Microsoft's bulletin release. Note that we got a total of 3 already exploited vulnerabilities in this month's release. Don't believe patching fast will protect you. You are probably a few weeks if not months behind at the time the patch is released. Overview of the October 2014 Microsoft patches and their status.
We will update issues on this page for about a week or so as they evolve.
We appreciate updates US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
--- |
Johannes 4068 Posts ISC Handler Oct 14th 2014 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thread locked Subscribe |
Oct 14th 2014 6 years ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
MS14-058 - I think you just used the wrong rating, should be red and critical. I notice you have mentioned its critical but have used orange for moderate.
|
Zain Khan 4 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Oct 14th 2014 6 years ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thanks! I fixed it. I didn't pay attention on this one and marked it as "important" like prior kernel driver priv. escalation vuln. But this one is a remote code exec vulnerability and has already been exploited.
|
Johannes 4068 Posts ISC Handler |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Oct 14th 2014 6 years ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
I also see some security "advisories":
Vulnerability in SSL 3.0 Could Allow Information Disclosure https://technet.microsoft.com/library/security/3009008 Update for Microsoft EAP Implementation that Enables the Use of TLS https://technet.microsoft.com/library/security/2977292 Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 https://technet.microsoft.com/library/security/2949927 And a question: that last one (2949927) was removed, with a recommendation to un-install. Does this qualify as a "pulled patch"? What was the problem? |
Paul Szabo 13 Posts |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Oct 18th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!