Today, as part of Update Tuesday, we released nine security bulletins – three rated Critical and six rated Important in severity, to address 56 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software.
We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate the XI, a full description can be found here.
Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”
For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.
In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.
For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.
Tracey Pretorius, Director Response Communications
Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.
We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.
Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker could cause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infected Object Linking and Embedding (OLE) file.
As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the "Suggested Actions" section of the Security Advisory for additional guidance. Applying the Fix it does not require a reboot. We suggest customers apply this Fix it to help protect their systems.
The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this cyberattack when configured to work with Microsoft Office software. The necessary configuration steps for EMET, are provided in the "Suggested Actions" section of the Security Advisory.
We also encourage you to follow the "Protect Your Computer" guidance by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we recommend that individuals avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.
We continue to work on a security update to address this cyberattack. We're monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.
As security professionals, we are trained to think in worst-case scenarios. We run through the land of the theoretical, chasing “what if” scenarios as though they are lightning bugs to be gathered and stashed in a glass jar. Most of time, this type of thinking is absolutely the correct thing for security professionals to do. We need to be prepared for when, not if, these disruptive events occur. However, every now and then, it can be productive to draw ourselves out of this hypothetical mentality and look instead at the real impact in the here and now.
Speaking of the here and now, today we release seven security bulletins, two rated Critical and five rated Important in severity, addressing 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers. But before we get into the details of the updates, I want to take a moment to provide some additional insight into how we assess and recommend those severity ratings. For every issue, we consider ”what if”– what’s the severest outcome from a potential cyberattack? We want to provide our best guidance on the risk assessment for our customers, and that requires consideration of the worst-case scenario.
If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it? Similarly, does a vulnerability make a sound if it never gets exploited? When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack. In other words, it doesn’t matter if that falling tree makes a noise; we still have an action to take. Why? Because one day in the future, it’s possible what we’re delivering today could get exploited if not addressed. However, we’re not in the future; we’re in the land of the here and now. And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people. Until something actually occurs it is still theory; we’re taking the theoretical and making practical updates against future “what ifs”.
Let’s look at an example from this month’s release. The security bulletin for Internet Explorer (IE) resolves 59 items, including CVE-2014-1770. The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal. We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin. While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.
Addressing items before active attacks occur helps keep customers better protected. The Internet Explorer update for this month includes additional security updates that will help protect our customers, which is yet another reason why it’s good to stay current with the latest updates.
If you’ve seen the recent blog from the IE team, you’ll also see another message: Customers should update to the latest version of Internet Explorer. For Windows 7 and Windows 8.1, that means Internet Explorer 11—the most modern, secure browser we’ve ever built. IE11 has advanced security features like Enhanced Protection Mode (EPM) and SmartScreen Filter, support for modern web standards, and Enterprise Mode for rendering legacy web apps. Internet Explorer 11 is much more secure than older versions, which is why we encourage customers to upgrade.
There are six other bulletins released today to improve your security as well. For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.
Here’s an overview of all the updates released today:
Click to enlarge
As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the Word and Internet Explorer updates be on the top of your list.
Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player. in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16. For more information about this update, including download links, see Microsoft Knowledge Base Article 2966072.
Watch the bulletin overview video below for a brief summary of today's releases.
Andrew Gross and I will host the monthly security bulletin webcast, scheduled for Wednesday, June 11, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins.