Security Advisor

Microsoft August Patch Tuesday: 'Critical' Fixes for IE, Media Center

This moth's Security Update addresses a total of 37 flaws.

It's the second Tuesday of the month, so you know what that means: it's time for Microsoft's monthly Security Update release. August's patch includes nine bulletins -- two rated "critical" and seven rated "important" -- that address 37 flaws across multiple Microsoft products.

Per tradition, the majority (26 of 37) of the flaws are all associated with Internet Explorer. Bulletin MS014-051, a cumulative security update for IE,  affects all supported versions of Microsoft's Web browser. IT looking to prioritize today's patch release should set their sights on this one first due to active exploitation of at least one of the holes.

"Microsoft is aware of targeted attacks against vulnerability CVE-2014-2817 and rates this bulletin a “0” on the Exploitability Index, which is new value on this scale. EI=0 is an indication that attackers are exploiting at least one of the vulnerabilities," wrote Wolfgang Kandek, security expert and CTO of Qualys, Inc., in an e-mailed comment.

Once that bulletin has been applied, the second critical item, a fix for Windows Media Center, should be next on the priority list. Bulletin MS14-043 fixes one privately reported remote code execution (RCE) issue in the media player. According to Microsoft, the vulnerability could be triggered if a malicious Microsoft Office file that includes Windows Media Center resources is opened. The issue only affects those running Windows 7, 8 and 8.1 systems, and Microsoft said  that it hasn't seen any active exploits in the wild.

Important Items
Microsoft's August patch also includes the following seven bulletins rated "important":

  • MS14-048: Addresses a privately reported issue in all versions of Microsoft OneNote 2007 that could lead to an RCE attack if gone unpatched. This item should be the priority when applying the remaining important items.
  • MS14-044: This bulletin fixes issues in SQL Server Master Data Services and SQL Server relational database management system that could allow elevation of privilege if a malicious script was inserted into the database server through Internet Explorer.
  • MS14-045: Targets three privately disclosed flaws in all supported version of Windows Server and Windows OS. The most severe of the flaws could allow an elevation of privilege if a harmful script was manually inserted in a targeted system.
  • MS14-046: This item addresses a hole in Microsoft .NET Framework that could lead to an attacker bypassing the Address Space Layout Randomization (ASLR) security feature through the use of a specially crafted Web site.
  • MS14-047: Fixes a Windows flaw that could lead to a security features bypass in the  Lightweight Remote Procedure Call(LRPC) client. An attack could only be pulled off if this hole is exploited in conjunction with another vulnerability, like the one found in MS14-046.
  • MS14-049: Addresses an issue in Windows Installer Service that could lead to an elevation of privilege if a user attempted to repair a legitimate application with a specially crafted, malicious program.   
  • MS14-050: The final item fixes a privately reported issue in SharePoint 2013 that could lead to an elevation of privilege  if a malicious app was installed that could allow an attacker to run arbitrary JavaScript.

Microsoft also updates Security Advisory 2755801 to include fixes from Adobe for its Flash and Adobe Reader. Many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.  

About the Author

Chris Paoli is the site producer for and


  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

  • Microsoft FastTrack Support Extended to Microsoft 365 Defender Solutions

    The Microsoft FastTrack support program has been extended to Microsoft 365 Defender products for certain qualified subscribers, Microsoft indicated this week.

comments powered by Disqus