Number:IRCNE2014052190
Date: 2014-05-14
According to “zdnet”, Microsoft issued eight security updates today addressing a total of 14 vulnerabilities in Windows, Office and SharePoint Server. Three are already being exploited in the wild.
This is the first Patch Tuesday since the end of support for Windows XP and Office 2003. Even though Microsoft provided an update one week ago for all Windows versions, including Windows XP, this time they followed through on policy and did not release updates for Windows XP even though one of the updates patched today is critical and likely affects Windows XP.
Less well-known is that Microsoft Office 2003 also exited its support period in April. There are two updates to Microsoft Office, but none for Office 2003 which appears to be affected by at least one of the non-critical vulnerabilities fixed in the updates to later versions.
Even less well-known is that Microsoft SharePoint Portal Server 2003 also entered its end of support period last month. Three critical vulnerabilities in SharePoint Server versions 2007, 2010 and 2013, Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK were patched today, but no patches were issued for the 2003 product.
Three of the vulnerabilities below disclosed today are being exploited in the wild. A fourth had already been publicly disclosed. The most severe, MS14-029, almost certainly affects Windows XP, is being exploited in the wild, and is not patched on Windows XP.
- MS14-029: Security Update for Internet Explorer (2962482) — This is the most critical of today's critical updates. All supported versions of Internet Explorer on all supported versions of Windows (this no longer includes Windows XP) are vulnerable to two memory corruption vulnerabilities which could result in remote code execution.
- MS14-022: — All supported versions of SharePoint Server, including 2007, 2010 and 2013, as well as Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK are vulnerable to a critical remote code execution vulnerability. A second cross-site scripting (XSS) vulnerability affects only SharePoint Server 2013, Office Web Apps 2013 and the SharePoint Server 2013 Client Components SDK. A final critical remote code execution vulnerability ("Web Applications Page Content Vulnerability") affects only Office Web Apps 2010.
- MS14-024: Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) — A vulnerability in the MSCOMCTL common controls library could allow a malicious web site to bypass ASLR (Address Space Layout Randomization). The library comes with Microsoft Office and all shipping versions are listed as vulnerable, but it is likely to be exploited through Internet Explorer. Note: Office 2003 may well be vulnerable to this bug, but it is not listed as being updated.
- MS14-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037).
- MS14-025: Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486).
- MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732).
- MS14-027: — All versions of Windows are vulnerable to an elevation of privilege vulnerability when the Windows Shell improperly handles file associations. A successful attacker could run code in the LocalSystem context.
- MS14-028: Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) — Server versions of Windows are vulnerable to two denial of service vulnerabilities in the way Windows handles iSCSI packets.
- 7