Security Advisor

Microsoft August Patch Tuesday: 'Critical' Fixes for IE, Media Center

This moth's Security Update addresses a total of 37 flaws.

• By Chris Paoli
• 08/12/2014

It's the second Tuesday of the month, so you know what that means: it's time for Microsoft's monthly Security Update release. August's patch includes nine bulletins -- two rated "critical" and seven rated "important" -- that address 37 flaws across multiple Microsoft products.

Per tradition, the majority (26 of 37) of the flaws are all associated with Internet Explorer. Bulletin MS014-051, a cumulative security update for IE,  affects all supported versions of Microsoft's Web browser. IT looking to prioritize today's patch release should set their sights on this one first due to active exploitation of at least one of the holes.

"Microsoft is aware of targeted attacks against vulnerability CVE-2014-2817 and rates this bulletin a “0” on the Exploitability Index, which is new value on this scale. EI=0 is an indication that attackers are exploiting at least one of the vulnerabilities," wrote Wolfgang Kandek, security expert and CTO of Qualys, Inc., in an e-mailed comment.

Once that bulletin has been applied, the second critical item, a fix for Windows Media Center, should be next on the priority list. Bulletin MS14-043 fixes one privately reported remote code execution (RCE) issue in the media player. According to Microsoft, the vulnerability could be triggered if a malicious Microsoft Office file that includes Windows Media Center resources is opened. The issue only affects those running Windows 7, 8 and 8.1 systems, and Microsoft said  that it hasn't seen any active exploits in the wild.

Important Items
Microsoft's August patch also includes the following seven bulletins rated "important":

• MS14-048: Addresses a privately reported issue in all versions of Microsoft OneNote 2007 that could lead to an RCE attack if gone unpatched. This item should be the priority when applying the remaining important items.
• MS14-044: This bulletin fixes issues in SQL Server Master Data Services and SQL Server relational database management system that could allow elevation of privilege if a malicious script was inserted into the database server through Internet Explorer.
• MS14-045: Targets three privately disclosed flaws in all supported version of Windows Server and Windows OS. The most severe of the flaws could allow an elevation of privilege if a harmful script was manually inserted in a targeted system.
• MS14-046: This item addresses a hole in Microsoft .NET Framework that could lead to an attacker bypassing the Address Space Layout Randomization (ASLR) security feature through the use of a specially crafted Web site.
• MS14-047: Fixes a Windows flaw that could lead to a security features bypass in the  Lightweight Remote Procedure Call(LRPC) client. An attack could only be pulled off if this hole is exploited in conjunction with another vulnerability, like the one found in MS14-046.
• MS14-049: Addresses an issue in Windows Installer Service that could lead to an elevation of privilege if a user attempted to repair a legitimate application with a specially crafted, malicious program.   
• MS14-050: The final item fixes a privately reported issue in SharePoint 2013 that could lead to an elevation of privilege  if a malicious app was installed that could allow an attacker to run arbitrary JavaScript.

Microsoft also updates Security Advisory 2755801 to include fixes from Adobe for its Flash and Adobe Reader. Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.