Skip to main content
Tag

Patch Tuesday

December Patch Tuesday updates from Microsoft

By Patch Management, Patch TuesdayNo Comments

The final Patch Tuesday of 2014 is upon us so with that in mind we thought we’d take a quick look at how the year stacks up. There were a total of 85 bulletins fixing 349 separate vulnerabilities in Microsoft’s products; 29 were rated as Critical, 53 as Important, and 3 rated Moderate. Internet Explorer featured heavily this year, with over 200 separate vulnerabilities being patched – January being the only month where Internet Explorer didn’t feature in any update.

Compared to last year there were 21 fewer patch updates yet there were more individual vulnerabilities patched in 2014 compared to 2013 (349 vs. 332).

This month there are three Critical and four Important updates fixing a total of 25 vulnerabilities, including the delayed MS14-075 update from November, which we’ll cover first.

MS14-075

Rated as Important, this is the delayed update that was originally due to be released in November’s Patch Tuesday that addresses four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of the four could allow elevation of privilege if a user views a specially crafted web page using…Internet Explorer unsurprisingly! Should an attacker successfully exploit the vulnerability they would be able to gain the same rights as the current user.

Critical Updates

MS14-080

The most severe of the 14 privately reported vulnerabilities in this bulletin could allow remote code execution, again, if the user visits a specially crafted web page using Internet Explorer. Successful exploitation would give the same rights to the attacker as the current user.

MS14-081

The second of three Critical updates resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow for remote code execution if an attacker is able to convince a user to open, or even just preview, a specially crafted Microsoft Word file within an affected version of Microsoft Office software. The affected versions include: all supported editions of Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, Microsoft Office for Mac 2011, Microsoft Word Viewer, Microsoft Office Compatibility Pack.

MS14-084

The final Critical update of 2014 is a security update that resolves a privately reported vulnerability in VBScript – the scripting engine in Microsoft Windows. If a user visits a specially crafted website the vulnerability could allow for remote code execution, which, if successfully exploited, will give the attacker the same rights as the current user. If the user is an administrator then the attacker could potentially take complete control of an affected system so it would be wise to prioritise this patch over the others.

Important Updates

The final three updates (unless an out-of-band patch is released) address three privately reported vulnerabilities across Microsoft Office and Microsoft Excel, as well as one publicly disclosed vulnerability in Microsoft Windows. All three of the privately reported vulnerabilities could allow for remote code execution if successfully exploited. Again, this could allow an attacker to gain the same rights as the current user.

The publicly disclosed vulnerability (MS14-085) could allow Information Disclosure should a user visit a website containing specially crafted JPEG content. Whilst this particular vulnerability doesn’t allow code execution, the information disclosed could reveal details about the system that could be used in conjunction with another vulnerability to bypass security features.

Next steps

As usual, we have included a breakdown of this month’s bulletin in the table below and have prioritised the patch updates by the independently rated CVSS score. We’d advise that you prioritise patches MS14-080, MS14-081, MS14-082, MS14-083 & MS14-084. For our customers, we will be analysing the binary code for each update and will be rolling out the patch updates using Verismic Syxsense, as per the agreed deployment process.

Update No.
CVSS Score
Microsoft Score
Affected Software
Details
MS14-080 9.3 Critical Microsoft Windows, Internet Explorer Cumulative Security Update for Internet Explorer (3008923)
MS14-081 9.3 Critical Microsoft Office Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
MS14-084 9.3 Critical Microsoft Windows Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
MS14-082 9.3 Important Microsoft Office Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
MS14-083 9.3 Important Microsoft Office Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
MS14-075 5.0 Important Microsoft Exchange Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
MS14-085 4.3 Important Microsoft Windows Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
patch management

Prioritising patches properly – don’t always listen to Microsoft

By Patch Management, Patch TuesdayNo Comments
[vc_single_image image=”1935″ img_size=”medium”]

It seems that it was only yesterday that patch/update Tuesday came and went, yet the next one is looming already.

As an IT guy I actually look forward to seeing the types of vulnerabilities that have been discovered in Microsoft’s products. Some are obviously more interesting than others, such as the vulnerability in Schannel, but what they all have in common is that they actually do pose a threat to your business.

We all know that patching is a vital process in keeping our businesses safe, but I do have some issues with Microsoft’s approach to patching. It’s very much a “fire and forget” exercise for them, whereby patch updates are released each month and your IT team is then expected to roll them out across the business.

Whilst this may be the most efficient way of releasing patches from Microsoft’s point of view, there are many instances where simply rolling them out is not an option. IT teams need to take a phased approach and test the patch updates before rolling them out, helping to mitigate any problems such as the dreaded blue screen of death.

Case in point was November’s MS14-066 update – there were a lot of reported problems when implementing the update, with Microsoft having to reissue the patch. Imagine if every business had implemented that immediately!

Keep in mind that Microsoft self-certifies vulnerabilities, and have a fairly easy to follow rating system:
• Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
• Important – These vulnerabilities are where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
• Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
• Low – The impact is comprehensively mitigated by the characteristics of the component.

If we take a look at November’s Patch Tuesday, there were a total of 14 separate patches fixing almost 40 vulnerabilities as well as an out-of-band patch a week later, five of which were rated as critical. So how do you prioritise these five if they’re all rated the same? Which vulnerability do you patch first?

When rolling out patches, it’s all well and good to do so if your business is located in one or two premises, but what if your business has a number of remote locations? Retail, transportation and oil and gas are all good examples.

If you were to take a large retail store open 24 hours a day, there needs to be a window of time where the systems are taken offline so they can be updated. Microsoft’s approach would be to suggest patching the Critical vulnerabilities first, and then work through the rest.

At Verismic, we provide a service to our customers to ensure that their entire IT infrastructure remains as up-to-date as possible, which includes rolling out any patch updates from vendors. We do this by creating a baseline – what is going to be the most important update for the business, and then we work backwards. It’s important to do this because, as we said, many businesses simply don’t have the time or even the bandwidth to roll out all of the patch updates at once.

To create this baseline we use three different measurements; vendor severity (that would be Microsoft’s self-certified rating), the Common Vulnerability Scoring System (CVSS), and the total number of vulnerable systems in the customer’s environment. By measuring against three separate metrics we can get a much better understanding of the risk a vulnerability really poses.

My advice would be to take Microsoft’s vulnerability ratings with a respectful pinch of salt and start looking at independently assessed scores, such as CVSS. Each month US-CERT uses CVSS to rate all of Microsoft’s patch updates the same day they’re released, giving you a much better understanding of the risk a particular vulnerability poses to your business.

Patching is invaluable to protecting your business. By taking a phased approach to updating systems and creating a baseline to understand the risk of each vulnerability, you can get a much better idea of which patches you should be prioritising first.

Robert Brown is Director of Services at Verismic

Originally published on IT Security Guru

Patch Tuesday: Largest of 2014

By Patch Management, Patch TuesdayNo Comments

With 14 bulletins this month across almost 40 individual Common Vulnerabilities and Exposures [CVEs] means that November Patch Tuesday is fairly significant in size, with one particular update considered fairly urgent; MS14-066, which fixes a vulnerability in Schannel. The component of Windows that implements SSL/TLS. Those of you with eagle eyes will have spotted that two bulletins are missing from the update (MS14-069 and MS14-075) – no release date has been confirmed by Microsoft as yet.

Microsoft’s advice is to apply all of the updates, which shouldn’t be an issue for home users, but for businesses that are geographically spread out, where there may be a slow internet connection, you’ll need to be very considered in the choice of patches you deploy first.

[vc_single_image image=”1712″ img_size=”full” alignment=”center”]

The Common Vulnerability Scoring System (CVSS), included in the table below, is provided independently by US-CERT and looks at the impact that certain vulnerabilities can have. Microsoft’s ‘Critical’ vulnerabilities are rated as such because there is a known active exploit, but using the CVSS score can give you a much better understanding of how easy your systems can be exploited and the potential impact each could have. Looking at the table below we can see some disparities between Microsoft’s rating and the independently scored CVSS.

Critical updates

MS14-064

The first update of November’s Patch Tuesday resolves vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). With a CVSS of 9.3, this is the one of five updates that you need to patch sooner rather than later. The more severe of the two vulnerabilities could allow remote code execution enabling an attacker to run arbitrary code in the context of the current user. If that user has admin rights then the attacker could install programs; view, change, or delete data; or create new user accounts.

MS14-065

I’d argue that this by far the most important update for you to pay attention to as it affects the entire Microsoft estate from the operating system to Internet Explorer. The update resolves seventeen privately reported vulnerabilities in Internet Explorer. An attacker who exploits these vulnerabilities could gain the same user rights as the current user. The most severe of these vulnerabilities would allow for remote code execution if a user views a specially crafted web page using Internet Explorer. Once again, this update has a CVSS of 9.3.

MS14-066

This update has been the focus of most blogs and articles this month, with most suggesting that it is in fact the single most important update to implement – rather than MS14-065 It’s a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows Server. However, the Schannel is not so easy to crack and the extent of the damage that can be caused is not as severe as other Critical updates. With a CVSS score of 6.8 I’d argue that there are other updates you should be prioritising over this one.

MS14-067

This security update (CVSS of 9.3) resolves a vulnerability in Windows that could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke SML Core Services (MSXML) through Internet Explorer. However, in order for an attacker to take advantage of this exploit they would need to convince a user to visit a website using social engineering.

Other notable updates

There are, in fact, two other updates you should be paying close attention to: MS14-069 and MS14-072. Microsoft has rated both of these updates as ‘Important’ but they have each been given an independent CVSS score of 9.3, so US_CERT is saying that these two updates are just as severe as those noted above.

  • MS14-069 is a security update resolving three vulnerabilities in Microsoft Office that could allow remote code execution enabling an attacker to gain the same user access rights as the current user. It is exploited through a specially crafted file that is opened in an affected edition of Microsoft Office 2007.
  • MS14-072 resolves a vulnerability in the .NET framework, which could allow elevation of privilege. According to Microsoft, it is exploited through an attacker sending specially crafted data to an affected workstation that uses .NET Remoting. However, only custom applications that have been specifically designed to use .NET Remoting would expose a system to this vulnerability.

Next steps

Below is the full breakdown of this month’s patch updates. We recommend patching MS14-064, MS14-065, MS14-067, MS14-069, and MS14-072 in the first instance, before working through the rest of the updates. For our customers, we will be analysing the binary code for each update and will be rolling out the patches to all of our customers through the agreed deployment process using Verismic Syxsense.

Edit
Update no.
CVSS score
Microsoft score
Affected software
Details
MS14-064 9.3 Critical Microsoft Windows Vulnerabilities in Windows OLE could allow remote code execution (3011443)
MS14-065 9.3 Critical Microsoft Windows,
Internet Explorer
Cumulative security update for Internet Explorer (3003057)
MS14-067 9.3 Critical Microsoft Windows Vulnerability in XML Core Services could allow remote code execution (2993958)
MS14-069 9.3 Important Microsoft Office Vulnerabilities in Microsoft Office could allow remote code execution (3009710)
MS14-072 9.3 Important Microsoft Windows,
Microsoft .NET Framework
Vulnerability in .NET Framework could allow elevation of privilege (3005210)
MS14-073 8.5 Important Microsoft Server Software Vulnerability in Microsoft Sharepoint Foundation could allow elevation of privilege (3000431)
MS14-078 8.5 Moderate Microsoft Windows,
Microsoft Office
Vulnerability in IME (Japanese) could allow elevation of privilege (2992719)
MS14-070 7.2 Important Microsoft Windows Vulnerability in TCP/IP could allow elevation of privilege (2989935)
MS14-079 7.1 Moderate Microsoft Windows Vulnerability in Kernel-Mode driver could allow denial of service (3002885)
MS14-066 6.8 Critical Microsoft Windows Vulnerability in Schannel could allow remote code execution (2992611)
MS14-071 4.3 Important Microsoft Windows Vulnerability in Windows Audio Service could allow elevation of privilege (3005607)
MS14-074 4.3 Important Microsoft Windows Vulnerability in Remote Desktop Protocol could allow security feature bypass (3003743)
MS14-077 4.3 Important Microsoft Windows Vulnerability in Active Directory Federation Services could allow information disclosure (3003381)
MS14-076 2.6 Important Microsoft Windows Vulnerability in Internet Information Services (IIS) could allow security feature bypass (2982998)
|

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws

By Patch Management, Patch TuesdayNo Comments

Microsoft has issued critical patches for flaws relating to SSL/TLS encryption on Windows systems, as well as the Windows Object Linking and Embedding (OLE) protocol.

Microsoft issues critical patches for Windows SSL/TLS and OLE flaws
On Tuesday morning, the Redmond technology giant issued a news bulletin announcing the release of 14 security patches, including four rated ‘critical’ and eight as ‘important’, as part of its Patch Tuesday programme.

Arguably the most important of all of these was a patch for a flaw in the Microsoft secure channel (Schannel) security component, which implements the Secure Sockets Layer (SSL) and transport layer security (TLS) protocols that are used to handle encryption and authentication in Windows – including on HTTP applications.

According to the Microsoft advisory, the flaw comes down to the “improper processing of specially crafted packets”, which could be exploited by attackers remotely executing attacks on targets by sending malicious traffic to a Windows-based server.

The advisory notes that the flaw (MS14-066) – which has no workaround – is ‘critical’ for servers (Windows Server 2003, 2008 and 2012) and desktop devices, with the latter potentially threatening users running Vista, windows 7, 8 , 8.1 and Windows RT.

Amol Sarwate, director of engineering at Qualys, told newswire Ars Technica that these would be particularly vulnerable if the user had installed software on their client devices to monitor internet ports.

Fortunately, Microsoft says that there is no evidence pointing to in-the-wild exploits being used against Windows users at this point, although observers will note that the flaw itself comes in a year where the TLS stack (including Apple’s Secure Transport, Open SSL, NSS, GNU TLS and now SChannel) have been found with varying vulnerabilities.

The update was one of 16 (two have been postponed) scheduled for the Patch Tuesday batch, which also discloses and issues fixes for two OLE bugs.

The latter affects all supported versions of Windows and is given an ‘exploitability’ rating of “0” as the zero-day (CVE-201406352) is being used in “limited, targeted attacks in the wild.” Specifically, the most severe of the vulnerabilities could allow for remote code execution if a user was directed to a spoofed webpage on Internet Explorer.

“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” reads the advisory. “If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Elsewhere, there are also fixes for bugs in XML Core Services (rated as critical for Vista, Windows 7, 8 and 8.1 devices), Office, Exchange and SharePoint. The full list can be seen here.

In an email to journalists, Ross Barrett, senior manager of security engineering at Rapid7, said that MS14-064 is the most critical flaw, as it relates to OLE which was exploited in the Sandworm exploit – which has been used to target Windows devices within critical infrastructure.

“The top patching priority is definitely going to be MS14-064, which is under active exploitation in the wild and may be related, at least superficially, to last month’s Sandworm attack, which also worked through a vulnerability in OLE,” he said.

“After MS14-064, attention goes to MS14-065 and MS14-066, Internet Explorer and SChannel respectively. The SChannel issue is risky, since there is a very good chance that this service could be exposed or accessed via the perimeter. The IE patches are cumulative, as usual, and address 17 CVEs.

He added: “Perimeter systems are often mission critical and need the fastest attention.  Administrators will have to balance the risk of exploit with their perceived exposure and their tolerance for downtime.”

Ethical hacker Gavin Millard, who is technical director EMEA at Tenable Security, added in an email to SCMagazineUK.com that MS14-064 and MS14-066 should be the highest priority– noting that the latter is the most concerning as it affects all supported versions of Windows.

“MS14-064, a vulnerability in the Windows Object Linking and Embedding (OLE) library, appears to be a continuation of vulnerabilities disclosed last month in MS14-060. Researchers have already identified this vulnerability being used in the wild for exploitation through the use of malicious PowerPoint files,” he told SC.

“The larger worry for many is MS14-066 though as it’s a remote code execution vulnerability affecting all supported versions of Windows including the server platforms. The bug was discovered in Schannel, a set of security protocols for communication and identification, and is of particular concern due to the possibility of an attacker utilising it without user interaction.

“Whilst no proof of concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won’t be long until one does which could be disastrous for any admin that hasn’t updated.”

Millard admitted it’s hard to say if the flaw could be potentially as dangerous as Shellshock (an open-source flaw which allowed an attacker to perform remote code execution attacks on any server using the Bash shell) and Heartbleed (OpenSSL bug exploited, with thousands of websites and web servers affected).

“Is MS14-066 as bad as ShellShock and Heartbleed? At the moment, due to the lack of details and proof of concept code it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”

Update: 

Robert Brown, director of services at cloud-based IT endpoint management solution provider Verismicsuggested however that Microsoft’s patches can be hard to manage for security teams with short maintenance windows.

And citing the US National Vulnerability Database where CVEs are scored independently by CERT,  he told SCMagazineUK.com: “They will probably look at the credibility and if there are any confirmed exploits. In my opinion, they will make these critical if there is active exploit.”

He went onto note that MS14-066 – already named Winshock in some quarters – would still require a user clicking on the link and using a device with administrator rights for an exploit to be effective, and suggested that MS14-065 is more pervasive as the Internet Explorer bug could be used to ‘actively infect a huge amount of the Windows estate’.

Citing the fact that it affects all versions of IE going back to version 6.0, he said: “One problem with Microsoft’s binary is that files remain behind it even if you don’t use [the application]…and lock it from your machine. The little seed is still there.” He added that hackers could remotely exploit the flaw by using a crafted instant messenger message promising Christmas pictures, for example, before delivering the payload.

Patch Tuesday: Back In Full Swing!

By Patch Management, Patch TuesdayNo Comments

After a relatively light Patch Tuesday last month, October’s security updates are back in full swing. With a total of eight security bulletins covering a total of 24 vulnerabilities discovered in Internet Explorer, Office, and the .Net framework, three of these are rated as critical – full details can be seen below.

Critical updates

Internet Explorer features heavily in this month’s update, with the first Critical update, MS14-056, addressing 14 privately reported vulnerabilities, scoring a CVSS of 9.3. The most severe of which could allow remote code execution giving the attacker the same admin rights as the current user.

The second of the Critical updates, MS14-057, could also allow remote code execution if the attacker sends a specially crafted URI request containing international characters to a .NET web application. The three privately reported vulnerabilities score CVSS 9.3, so remediation should be done as soon as technically possible.

The final of this month’s Critical updates, MS14-058, resolves two privately reported vulnerabilities in Windows, again with a CVSS score of 9.3. Once again the more severe of the two could allow remote code execution. What is interesting here is that the attacker would have to rely on a phishing attack to exploit this vulnerability as it requires the attacker to convince a user to open a specially crafted document or visit a untrusted website.

Important update – but no less critical

By far the most important patch in this month’s update is MS14-060 as there are already zero-day attacks taking advantage of this vulnerability, so remediation is recommended as soon as technically possible. While this security update is only rated Important by Microsoft, it has been independently scored CVSS 9.3 for all supported release of Microsoft Windows, excluding Windows Server 2003.

The security update resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user opens an office file containing a specially crafted OLE object. This would allow an attacker to execute any command in the context of the user such as installing programs; view, change, or delete data; or create new accounts with full user rights.

Next steps

As always it’s vital to update the Critical vulnerabilities at the earliest opportunity, so we will be analysing the binary code for each patch update and will be rolling out the updates to all of our customers through the agreed deployment process using Verismic Syxsense.

Update no.
CVSS score
Microsoft score
Affected Software
Details
MS14-056 9.3 Critical Microsoft Windows, Windows Explorer Cumulative Security update for Internet Explorer (2987107)
MS14-057 9.3 Critical Microsoft Windows, Microsoft .NET framework Vulnerabilities in .NET framework could allow remote code execution (3000414)
MS14-058 9.3 Critical Microsoft Windows Vulnerabilities in Kernel-Mode driver could allow remote code execution (3000061)
MS14-060 9.3 Important Microsoft Windows Vulnerability in Windows OLE could allow remote code execution (3000869)
MS14-061 9.3 Important Microsoft Office, Microsoft Office services, Microsoft Office web app Vulnerability in Microsoft Word and Office web apps could allow remote code execution (3000434)
MS14-063 7.2 Important Microsoft Windows Vulnerability in FAT32 disk partition driver could allow elevation of privilege (2998579)
MS14-062 6.8 Important Microsoft Windows Vulnerability in message queuing service could allow elevation of privilege (2993254)
MS14-059 4.3 Important Microsoft Developer tools Vulnerability in ASP.Net MVC could allow security feature bypass (2990942)

Patch Tuesday: Time to Lose Your Marbles!

By Patch Management, Patch TuesdayNo Comments

Microsoft’s patches this month are few, but no less important. In fact, critical in one case!

We generally compare two sources of information to understand the impact of Microsoft’s patch updates – Microsoft’s own feed plus information from an independent source, such as US-CERT [United States-Computer Emergency Readiness Team] which uses the Common Vulnerability Scoring System (CVSS) to asses the potential impact of the IT vulnerabilities. By contrasting two sources of information we can get the real picture of how the vulnerabilities affect your business.

In this latest round, announced last week, we have four updates, MS14-052, MS14-053, MS14-054 and MS14-055. Full details for each below. Now, what’s interesting here is that Microsoft has listed the latter three as Important but by using the CVSS we can actually understand that MS14-055 has a score of 7.8 out of 10. That’s pretty high and, in our experience, anything with a CVSS score that high needs to be urgently prioritised along with the Critical update MS14-052.

What’s the risk?

MS14-055 resolves vulnerabilities, which could allow a denial of service attack against Microsoft Lync Server. This is rightfully a high-scoring ‘Important’ vulnerability that could allow someone to kill the server of a communications tool so vital to the operations of many, many businesses.

As an aside, I like to think of a denial of service attack as a marble in a bucket; the bucket is being used to remove water from a swimming pool. Every time, the bucket is used, another marble finds its way in. Before long, you’re carrying a lot of marbles and not shifting much water! This vulnerability needs resolving – its time to lose your marbles.

MS14-052 has a CVSS score of 9.3. It’s a ‘rollup’ of 36 privately reported vulnerabilities, which affect all versions of Microsoft Internet Explorer. The vulnerability could allow an attacker to execute remote code. Again, it needs to be resolved.

Next steps 

Right now, we’re looking at the binary code for each patch update and moving towards testing and piloting the updates before deployment to customers. As with all our customers, we’ll be working through our agreed deployment process using Verismic Syxsense for rollout.

Feel free to leave a comment below if you have any viewpoints on the patch updates.

Microsoft score
CVSS score
Update no.
Affected software:
Critical security bulletin 9.3 MS14-052 Windows Server 2003 Service Pack 2:
– Internet Explorer 6
– Internet Explorer 7
– Internet Explorer 8
Windows Server 2003 x64 Edition Service Pack 2:
– Internet Explorer 6
– Internet Explorer 7
– Internet Explorer 8
Windows Server 2003 with SP2 for Itanium-based Systems:
– Internet Explorer 6
– Internet Explorer 7
Windows Vista Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Vista x64 Edition Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Server 2008 for 32-bit Systems Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for x64-based Systems Service Pack 2:
– Internet Explorer 7
– Internet Explorer 8
– Internet Explorer 9
(Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems Service Pack 2:
– Internet Explorer 7
Windows 7 for 32-bit Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
Windows 7 for x64-based Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
Windows Server 2008 R2 for x64-based Systems Service Pack 1:
– Internet Explorer 8
– Internet Explorer 9
– Internet Explorer 10
– Internet Explorer 11
(Windows Server 2008 R2 Server Core installation not affected)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
– Internet Explorer 8
– Windows 8 for 32-bit Systems:
– Internet Explorer 10
– Windows 8 for x64-based Systems:
– Internet Explorer 10
– Windows Server 2012:
– Internet Explorer 10
(Windows Server 2012 Server Core installation not affected)
– Windows RT:
– Internet Explorer 10
– Windows 8.1 for 32-bit Systems:
– Internet Explorer 11
– Windows 8.1 for x64-based Systems:
– Internet Explorer 11
– Windows Server 2012 R2:
– Internet Explorer 11
(Windows Server 2012 R2 Server Core installation not affected)
– Windows RT 8.1:
– Internet Explorer 11
Impact: Remote Code Execution
Version Number: 1.0
Important security bulletin 7.8 MS14-055 – Microsoft Lync Server 2010
– Microsoft Lync Server 2013
– Impact: Denial of Service
– Version Number: 1.0
Important security bulletin 6.8 MS14-054 – Windows 8 for 32-bit Systems
– Windows 8 for x64-based Systems
– Windows 8.1 for 32-bit Systems
– Windows 8.1 for x64-based Systems
– Windows Server 2012
– (Windows Server 2012 Server Core installation affected)
– Windows Server 2012 R2
– (Windows Server 2012 R2 Server Core installation affected)
– Windows RT
– Windows RT 8.1
– Impact: Elevation of Privilege
– Version Number: 1.0
Important security bulletin 4.3 MS14-053 Windows Server 2003 Service Pack 2
– Microsoft .NET Framework 1.1 Service Pack 1
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Server 2003 x64 Edition Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Server 2003 with SP2 for Itanium-based Systems
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 4
Windows Vista Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Vista x64 Edition Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 for 32-bit Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for x64-based Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems Service Pack 2
– Microsoft .NET Framework 2.0 Service Pack 2
– Microsoft .NET Framework 3.0 Service Pack 2
– Microsoft .NET Framework 4
Windows 7 for 32-bit Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 7 for x64-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2008 R2 Server Core installation affected)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
– Microsoft .NET Framework 3.5.1
– Microsoft .NET Framework 4
Windows 8 for 32-bit Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 8 for x64-based Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows 8.1 for 32-bit Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
Windows 8.1 for x64-based Systems
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
Windows Server 2012
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
(Windows Server 2012 Server Core installation affected)
Windows Server 2012 R2
– Microsoft .NET Framework 3.5
– Microsoft .NET Framework 4.5.1/4.5.2
(Windows Server 2012 R2 Server Core installation affected)
Windows RT
– Microsoft .NET Framework 4.5/4.5.1/4.5.2
Windows RT 8.1
– Microsoft .NET Framework 4.5.1/4.5.2
– Impact: Denial of Service
– Version Number: 1.0
Showing 1 to 4 of 4 entries