May 2014 Patch Tuesday Rolls Out 8 Bulletins
This month’s Patch Tuesday features eight bulletins, the most number of bulletins released for the year so far. Out of the eight bulletins, two are rated as ‘critical’ and the remaining, ‘important.’ While Microsoft may have released an out-of-band update for Windows XP to address a (then) zero-day vulnerability, updates for that OS are noticeably absent for this rollout.
Aside from the eight bulletins, this Patch Tuesday also includes the out-of-band security patch that was released two weeks ago addressing an Internet Explorer zero-day vulnerability. But that isn’t the only update concerning Internet Explorer. One of the two ‘critical’ updates, MS14-029, addresses two privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
The second ‘critical’ update (MS14-022) addresses multiple vulnerabilities in Microsoft Office server and productivity software. According to Microsoft, “[t]he most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.”
Two updates address vulnerabilities concerning Microsoft Office. MS14-023 resolves vulnerabilities that could allow for remote code execution if a user opens an Office file in the same network directory as a specially crafted library file. MS14-024, meanwhile, resolves a vulnerability that could security feature bypass if a user “views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.” The remaining updates address vulnerabilities that could allow elevation of privilege and denial of service if exploited.
Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Two rules for Trend Micro Deep Security have also been created and are available for use by system administrators:
- 1006034 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
- 1006056 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)