Patch Management Service Content Update from CTCOMP – March 2014

Five bulletins were released this month which address 23 unique CVEs in Microsoft Windows, Internet Explorer, and Silverlight. For those who need to prioritize their deployment planning, Microsoft recommends focusing on MS14-012 and MS14-014.

MS14-012 | Cumulative Security Update for Internet Explorer  
This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. Microsoft is aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in Security Advisory 2934088, which included a Fix it for the issue. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user.

MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable.

2248.March_Deployment

(source: Microsoft Security Response Center)

March 14, 2014

Update Report on Patches MS14-012 to MS14-016

 MS14-012: Deployed via Kaseya and tested successfully for Internet Explorer 7, 8, 9, 10, 11. You may begin internal testing of this patch.

MS14-013: Deployed via Kaseya and tested successfully on Windows XP, 2003, 7, 2008R2, 8, 8.1, 2012R2. You may begin internal testing of this patch.

MS14-014: Deployed via Kaseya and tested successfully for Silverlight. You may begin internal testing of this patch.

MS14-015: Deployed via Kaseya and tested successfully on Windows XP, 2003, 2008, 7, 2008R2, 8, 8.1, 2012R2. You may begin internal testing of this patch.

MS14-016: Deployed via Kaseya and tested successfully on Windows 2003, 2008, 2008R2, 2012R2. You may begin internal testing of this patch.