Patch Tuesday Wednesday (Oct-2014)

patch-tuesday This month Microsoft have released eight (8) security bulletins of which three (3) have a maximum rating of Critical and five (5) have a maximum rating of Important.

❝ Today, as part of Update Tuesday, we released eight security updates – three rated Critical and five rated Important – to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. ❞ [1]

Bulletin KB number Description Impact / Severity Software
MS14-056 2987107 Cumulative Security Update for Internet Explorer Critical:
Remote Code Execution
Microsoft Windows, Internet Explorer
MS14-057 3000414 Vulnerabilities in .NET Framework Could Allow Remote Code Execution Critical:
Remote Code Execution
Microsoft Windows, Microsoft .NET Framework
MS14-058 3000061 Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution Critical:
Remote Code Execution
Microsoft Windows
MS14-059 2990942 Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass Important:
Security Feature Bypass
Microsoft Developer Tools
MS14-060 3000869 Vulnerability in Windows OLE Could Allow Remote Code Execution Important:
Remote Code Execution
Microsoft Windows
MS14-061 3000434 Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution Important:
Remote Code Execution
Microsoft Office, Microsoft Office Services, Microsoft Office Web Apps
MS14-062 2993254 Vulnerability in Message Queuing Service Could Allow Elevation of Privilege Important:
Elevation of Privilege
Microsoft Windows
MS14-063 2998579 Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege Important:
Elevation of Privilege
Microsoft windows

PATCH NOW:
* MS14-056 : Microsoft Windows, Internet Explorer : Known exploits in the wild
* MS14-057, MS14-058

Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0

❝ Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system. ❞ [4]

Mitigating Factors:
* The attacker must make several hundred HTTPS requests before the attack could be successful.
* TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

❝ What should you do: Disable SSLv3. There is no patch for this. SSLv3 has reached the end of its useful life and should be retired. ❞ [5]

Apply Workarounds:
* Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer
To turn off SSLv3 support in Internet Explorer 11:
Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3” under “Security”.
Exit and restart Internet Explorer

LINKS:
[1.] October 2014 Updates (2014-Oct-14) [MS: MSRC]
[2.] Microsoft October 2014 Patch Tuesday (2014-Oct-14) [SANS]
[3.] Microsoft Security Bulletin Summary for October 2014 (2014-Oct-14) [MS]
[4.] Security Advisory 3009008 released (2014-Oct-14) [MS: MSRC]
[5.] SSLv3 POODLE Vulnerability Official Release (2014-Oct-14) [SANS]
Advertisements
This entry was posted in microsoft, patch, Patch_Tuesday, security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s