Microsoft’s patches this month are few, but no less important. In fact, critical in one case!
We generally compare two sources of information to understand the impact of Microsoft’s patch updates – Microsoft’s own feed plus information from an independent source, such as US-CERT [United States-Computer Emergency Readiness Team] which uses the Common Vulnerability Scoring System (CVSS) to asses the potential impact of the IT vulnerabilities. By contrasting two sources of information we can get the real picture of how the vulnerabilities affect your business.
In this latest round, announced last week, we have four updates, MS14-052, MS14-053, MS14-054 and MS14-055. Full details for each below. Now, what’s interesting here is that Microsoft has listed the latter three as Important but by using the CVSS we can actually understand that MS14-055 has a score of 7.8 out of 10. That’s pretty high and, in our experience, anything with a CVSS score that high needs to be urgently prioritised along with the Critical update MS14-052.
What’s the risk?
MS14-055 resolves vulnerabilities, which could allow a denial of service attack against Microsoft Lync Server. This is rightfully a high-scoring ‘Important’ vulnerability that could allow someone to kill the server of a communications tool so vital to the operations of many, many businesses.
As an aside, I like to think of a denial of service attack as a marble in a bucket; the bucket is being used to remove water from a swimming pool. Every time, the bucket is used, another marble finds its way in. Before long, you’re carrying a lot of marbles and not shifting much water! This vulnerability needs resolving – its time to lose your marbles.
MS14-052 has a CVSS score of 9.3. It’s a ‘rollup’ of 36 privately reported vulnerabilities, which affect all versions of Microsoft Internet Explorer. The vulnerability could allow an attacker to execute remote code. Again, it needs to be resolved.
Next steps
Right now, we’re looking at the binary code for each patch update and moving towards testing and piloting the updates before deployment to customers. As with all our customers, we’ll be working through our agreed deployment process using Verismic Syxsense for rollout.
Feel free to leave a comment below if you have any viewpoints on the patch updates.
|
Microsoft score
|
CVSS score
|
Update no.
|
Affected software:
|
|
|---|---|---|---|---|
| Critical security bulletin | 9.3 | MS14-052 | Windows Server 2003 Service Pack 2: – Internet Explorer 6 – Internet Explorer 7 – Internet Explorer 8 Windows Server 2003 x64 Edition Service Pack 2: – Internet Explorer 6 – Internet Explorer 7 – Internet Explorer 8 Windows Server 2003 with SP2 for Itanium-based Systems: – Internet Explorer 6 – Internet Explorer 7 Windows Vista Service Pack 2: – Internet Explorer 7 – Internet Explorer 8 – Internet Explorer 9 Windows Vista x64 Edition Service Pack 2: – Internet Explorer 7 – Internet Explorer 8 – Internet Explorer 9 Windows Server 2008 for 32-bit Systems Service Pack 2: – Internet Explorer 7 – Internet Explorer 8 – Internet Explorer 9 Windows Server 2008 Server Core installation not affected) Windows Server 2008 for x64-based Systems Service Pack 2: – Internet Explorer 7 – Internet Explorer 8 – Internet Explorer 9 (Windows Server 2008 Server Core installation not affected) Windows Server 2008 for Itanium-based Systems Service Pack 2: – Internet Explorer 7 Windows 7 for 32-bit Systems Service Pack 1: – Internet Explorer 8 – Internet Explorer 9 – Internet Explorer 10 – Internet Explorer 11 Windows 7 for x64-based Systems Service Pack 1: – Internet Explorer 8 – Internet Explorer 9 – Internet Explorer 10 – Internet Explorer 11 Windows Server 2008 R2 for x64-based Systems Service Pack 1: – Internet Explorer 8 – Internet Explorer 9 – Internet Explorer 10 – Internet Explorer 11 (Windows Server 2008 R2 Server Core installation not affected) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1: – Internet Explorer 8 – Windows 8 for 32-bit Systems: – Internet Explorer 10 – Windows 8 for x64-based Systems: – Internet Explorer 10 – Windows Server 2012: – Internet Explorer 10 (Windows Server 2012 Server Core installation not affected) – Windows RT: – Internet Explorer 10 – Windows 8.1 for 32-bit Systems: – Internet Explorer 11 – Windows 8.1 for x64-based Systems: – Internet Explorer 11 – Windows Server 2012 R2: – Internet Explorer 11 (Windows Server 2012 R2 Server Core installation not affected) – Windows RT 8.1: – Internet Explorer 11 Impact: Remote Code Execution Version Number: 1.0 |
 |
| Important security bulletin | 7.8 | MS14-055 | – Microsoft Lync Server 2010 – Microsoft Lync Server 2013 – Impact: Denial of Service – Version Number: 1.0 |
 |
| Important security bulletin | 6.8 | MS14-054 | – Windows 8 for 32-bit Systems – Windows 8 for x64-based Systems – Windows 8.1 for 32-bit Systems – Windows 8.1 for x64-based Systems – Windows Server 2012 – (Windows Server 2012 Server Core installation affected) – Windows Server 2012 R2 – (Windows Server 2012 R2 Server Core installation affected) – Windows RT – Windows RT 8.1 – Impact: Elevation of Privilege – Version Number: 1.0 |
|
| Important security bulletin | 4.3 | MS14-053 | Windows Server 2003 Service Pack 2 – Microsoft .NET Framework 1.1 Service Pack 1 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 Windows Server 2003 x64 Edition Service Pack 2 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 Windows Server 2003 with SP2 for Itanium-based Systems – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 4 Windows Vista Service Pack 2 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows Vista x64 Edition Service Pack 2 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows Server 2008 for 32-bit Systems Service Pack 2 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 (Windows Server 2008 Server Core installation not affected) Windows Server 2008 for x64-based Systems Service Pack 2 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows Server 2008 Server Core installation not affected) Windows Server 2008 for Itanium-based Systems Service Pack 2 – Microsoft .NET Framework 2.0 Service Pack 2 – Microsoft .NET Framework 3.0 Service Pack 2 – Microsoft .NET Framework 4 Windows 7 for 32-bit Systems Service Pack 1 – Microsoft .NET Framework 3.5.1 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows 7 for x64-based Systems Service Pack 1 – Microsoft .NET Framework 3.5.1 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 – Microsoft .NET Framework 3.5.1 – Microsoft .NET Framework 4 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 (Windows Server 2008 R2 Server Core installation affected) Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 – Microsoft .NET Framework 3.5.1 – Microsoft .NET Framework 4 Windows 8 for 32-bit Systems – Microsoft .NET Framework 3.5 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows 8 for x64-based Systems – Microsoft .NET Framework 3.5 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows 8.1 for 32-bit Systems – Microsoft .NET Framework 3.5 – Microsoft .NET Framework 4.5.1/4.5.2 Windows 8.1 for x64-based Systems – Microsoft .NET Framework 3.5 – Microsoft .NET Framework 4.5.1/4.5.2 Windows Server 2012 – Microsoft .NET Framework 3.5 – Microsoft .NET Framework 4.5/4.5.1/4.5.2 (Windows Server 2012 Server Core installation affected) Windows Server 2012 R2 – Microsoft .NET Framework 3.5 – Microsoft .NET Framework 4.5.1/4.5.2 (Windows Server 2012 R2 Server Core installation affected) Windows RT – Microsoft .NET Framework 4.5/4.5.1/4.5.2 Windows RT 8.1 – Microsoft .NET Framework 4.5.1/4.5.2 – Impact: Denial of Service – Version Number: 1.0 |
|
