Microsoft's May Patch Includes 'Critical' Fixes for IE and SharePoint Server
This month's security update also arrived with six "important" fixes and three new security advisories.
True to its word that April's monthly patch would be the last opportunity for any Windows XP security fixes, Microsoft released its May patch today that completely ignores the unsupported OS.
Instead, this month's security update includes two bulletins rated "critical" and six "important" fixes across Microsoft's product line, including Internet Explorer, SharePoint, Windows, Office and .NET framework.
The top priority this month should be bulletin MS14-029, an item that addresses two privately reported vulnerabilities in Internet Explorer versions 6 through 11. If exploited, these flaws could lead to an unauthorized individual gaining remote access to a system via a remote code execution (RCE) attack. What's interesting to note is that while Microsoft typically releases a cumulative fix for its browsers with the patch release, this is a more-rare targeted fix for just the two reported flaws.
"Unlike what we expected, this is another surgical fix, similar to the out-of-band MS14-021 fix from May 1," said Wolfgang Kandek, CTO of Qualys, in an e-mailed statement. "MS14-021 addressed the zero-day CVE-2014-1776, which had been found in the wild by FireEye on April 26. In a similar fashion MS14-029 addresses CVE-2014-1815, which was detected as having attacks in in the wild by the Google Security Team."
For those that might have missed the out-of-band fix for last month's Internet Explorer zero-day flaw, the company included a reminder of the fix in this month's patch summary.
The second and final critical item of the month, bulletin MS14-022, fixes an undisclosed amount of privately reported flaws in Microsoft SharePoint Server 2007, 2010, 2013, Microsoft Office Web Apps 2010 and 2013. According to the summary, an attacker who has the authentication rights to a SharePoint Server could allow a remote code execution if malicious page content was sent to the server.
While this item is rated critical, IT doesn't have to make it a top priority due to the flaws not being in active attack and the amount of social engineering needed to exploit the holes.
Microsoft's May important bulletins include:
- MS14-023: This item takes care of two issues in Office 2007, 2010, 2013 and 2013 RT that could lead to an RCE attack if an Office file was opened in a library containing a malicious library file.
- MS14-024: This takes care of a security bypass issue in a feature of the MSCOMCTL common controls library that could lead to an attack if a malicious Web page is opened in a COM components-enabled Web browser.
- MS14-025: Fixes a reported issue in Windows Vista, 7, RT, 8, 8.1 Windows Server 2008, 2012 and 2012 R2 that could allow an elevation of privilege flaw through the Directory Group Policy preferences.
- MS14-026: Addresses another elevation of privilege flaw, this time in the .NET Framework.
- MS14-027: This elevation of privilege vulnerability fix affects all currently supported versions of Windows OS and Windows Server OS.
- MS14-028: The final item of the month fixes two denial of service flaws in Windows Server 2008, 2008 R2, 2012 and 2012 R2.
Microsoft Security Advisories
Along with this month's patch, Microsoft has released three new security advisories and has updated a previously released advisory.
The first one, Security Advisory 2871997, improves credential protection in Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2. According to Microsoft, today's update provides "additional protection for the Local Security Authority (LSA), adds a restricted admin mode for Credential Security Support Provider (CredSSP), introduces support for the protected account-restricted domain user category, and enforces stricter authentication policies for Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 machines as clients."
Security Advisory 2960358 disables Rivest Cipher 4 (RC4) in Transport Layer Security (TLS) for Windows 7, 8, 8.1, RT, Windows Server 2008 R2, 2012 and 2012 R2. The change was made to block the chances of man-in-the-middle attacks to recover encrypted data from a targeted machine.
The third advisory, Security Advisory 2962824, has been pushed through by Microsoft to revoke "four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot." The move was made as a preemptive measure, as the affected modules have yet to be used in any known attacks.
Finally, Microsoft has updated Security Advisory 2755801 with the latest fixes for Adobe Flash running in Internet Explorer.
Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.