Η Microsoft released today at the established Patch on Tuesday this month's updates to fix a total of 13 different vulnerabilities points in Windows, Internet Explorer and Office.
According to the security bulletin released by the company this morning, there are eight updates, two of which are characterized as critical and six that characterize them as important, and define vulnerabilities in the NET Framework, Office, SharePoint, Internet Explorer, and Windows.
Microsoft Office is one of the programs that will be updated on this Tuesday Patch as promised by the company. Office 2003 stops updating this month. The first update fixes an error that according to the company:
"By placing a malicious DLL file in a specific directory on the network, an attacker could cause users to load the attack code."
The second vulnerability only affects Office 2013 and according to the company a user who visits malicious websites risks losing tokens accesss from Office.
One of the updates is aimed at Internet Explorer users and the company states that it is "one of the most critical" releases in this Tuesday Patch and the update should be installed as soon as possible. Windows XP has stopped being supported.
Last but also important, is the MS14-027 security update that comes to define a security vulnerability in Windows that could expose user data if a exploit exploits a Windows Shell bug. All versions of Windows are vulnerable to this type of attack, and Microsoft recommends that everyone repair the error as soon as possible.
All patches come via Windows Update.
| Bulletin ID | Bulletin Title and Executive Summary | Maximum Severity Rating and Vulnerability Impact | Restart Requirement | Affected Software |
|---|---|---|---|---|
| MS14-021 (Released out-of-band on May 1, 2014) |
Security Update for Internet Explorer (2965111)This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who handle administrative user rights. | Critical Remote Code Execution |
Requires restart | Microsoft Windows, Internet Explorer |
| MS14-029 | Security Update for Internet Explorer (2962482)This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who handle administrative user rights. | Critical Remote Code Execution |
Requires restart | Microsoft Windows, Internet Explorer |
| MS14-022 | Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)This security update resolves multiple privately reported vulnerabilities in Microsoft Office server and productivity software. The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends a crafted page content to a target SharePoint server. | Critical Remote Code Execution |
May require restart | Microsoft Server Software, Productivity Software |
| MS14-023 | Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | Important Remote Code Execution |
May require restart | Microsoft Office |
| MS14-025 | Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences. | Important Elevation of Privilege |
May require restart | Microsoft Windows |
| MS14-026 | Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) This security update resolves a privately reported vulnerability in the Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. .NET Remoting is not widely used by applications; Only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability. |
Important Elevation of Privilege |
May require restart | Microsoft Windows, Microsoft .NET Framework |
| MS14-027 | Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | Important Elevation of Privilege |
Requires restart | Microsoft Windows |
| MS14-028 | Vulnerability in iSCSI Could Allow Denial of Service (2962485)This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network. This vulnerability only affects the servers for which the iSCSI target role has been enabled. | Important Denial of Service |
May require restart | Microsoft Windows |
| MS14-024 | Vulnerability in Microsoft Common Control Could Allow Security Feature Bypass (2961033)This security update resolves a privately reported vulnerability in the implementation of the common control library MSCOMCTL. The vulnerability could allow a security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the ASLR security feature that helps protect users from a broad class of vulnerabilities. The bypass security feature does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the bypass ASLR to run arbitrary code. | Important Security Feature Bypass |
May require restart | Microsoft Office |
