Microsoft Security Bulletin Advance Notification for July 2014 Issued: July 3, 2014


Userlevel 7
Badge +56
********************************************************************
Microsoft Security Bulletin Advance Notification for July 2014
Issued: July 3, 2014
********************************************************************
 
Notice to IT Professionals:
 
On June 27, 2014, we notified customers that we were suspending Microsoft security notifications by email due to changing Governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and are resuming security notifications by email commencing with the release of this monthly Advanced Notification Service (ANS) mailing.
 
This is an advance notification of security bulletins that Microsoft is intending to release on July 8, 2014.
 
The full version of the Microsoft Security Bulletin Advance Notification for July 2014 can be found at <https://technet.microsoft.com/library/security/ms14-jul>.
 
This bulletin advance notification will be replaced with the July bulletin summary on July 8, 2014. For more information about the bulletin advance notification service, see <http://technet.microsoft.com/security/gg309152>.
 
Microsoft will host a webcast to address customer questions on these bulletins on July 9, 2014 at 11:00 AM Pacific Time (US & Canada). Register for the Security Bulletin Webcast at <http://technet.microsoft.com/security/dn756352>.
 
This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:
 
 
Critical Security Bulletins
============================
 
Bulletin 1
 
  - Affected Software:
    - Windows Server 2003 Service Pack 2:
      - Internet Explorer 6
      - Internet Explorer 7
      - Internet Explorer 8
    - Windows Server 2003 x64 Edition Service Pack 2:
      - Internet Explorer 6
      - Internet Explorer 7
      - Internet Explorer 8
    - Windows Server 2003 with SP2 for Itanium-based Systems:
      - Internet Explorer 6
      - Internet Explorer 7
    - Windows Vista Service Pack 2:
      - Internet Explorer 7
      - Internet Explorer 8
      - Internet Explorer 9
    - Windows Vista x64 Edition Service Pack 2:
      - Internet Explorer 7
      - Internet Explorer 8
      - Internet Explorer 9
    - Windows Server 2008 for 32-bit Systems Service Pack 2:
      - Internet Explorer 7
      - Internet Explorer 8
      - Internet Explorer 9
      (Windows Server 2008 Server Core installation not affected)
    - Windows Server 2008 for x64-based Systems Service Pack 2:
      - Internet Explorer 7
      - Internet Explorer 8
      - Internet Explorer 9
      (Windows Server 2008 Server Core installation not affected)
    - Windows Server 2008 for Itanium-based Systems Service Pack 2:
      - Internet Explorer 7
    - Windows 7 for 32-bit Systems Service Pack 1:
      - Internet Explorer 8
      - Internet Explorer 9
      - Internet Explorer 10
      - Internet Explorer 11
    - Windows 7 for x64-based Systems Service Pack 1:
      - Internet Explorer 8
      - Internet Explorer 9
      - Internet Explorer 10
      - Internet Explorer 11
    - Windows Server 2008 R2 for x64-based Systems
      Service Pack 1:
      - Internet Explorer 8
      - Internet Explorer 9
      - Internet Explorer 10
      - Internet Explorer 11
      (Windows Server 2008 R2 Server Core installation
      not affected)
    - Windows Server 2008 R2 for Itanium-based Systems Service
      Pack 1:
      - Internet Explorer 8
    - Windows 8 for 32-bit Systems:
      - Internet Explorer 10
    - Windows 8 for x64-based Systems:
      - Internet Explorer 10
    - Windows Server 2012:
      - Internet Explorer 10
      (Windows Server 2012 Server Core installation not affected)
    - Windows RT:
      - Internet Explorer 10
    - Windows 8.1 for 32-bit Systems:
      - Internet Explorer 11
    - Windows 8.1 for x64-based Systems:
      - Internet Explorer 11
    - Windows Server 2012 R2:
      - Internet Explorer 11
      (Windows Server 2012 R2 Server Core installation not affected)
    - Windows RT 8.1:
      - Internet Explorer 11
  - Impact: Remote Code Execution
  - Version Number: 1.0
 
Bulletin 2
 
  - Affected Software:
    - Windows Vista Service Pack 2
    - Windows Vista x64 Edition Service Pack 2
    - Windows Server 2008 for 32-bit Systems Service Pack 2
      (Windows Server 2008 Server Core installation not affected)
    - Windows Server 2008 for x64-based Systems Service Pack 2
      (Windows Server 2008 Server Core installation not affected)
    - Windows 7 for 32-bit Systems Service Pack 1
    - Windows 7 for x64-based Systems Service Pack 1
    - Windows Server 2008 R2 for x64-based Systems Service Pack 1
      (Windows Server 2008 R2 Server Core installation not affected)
    - Windows 8 for 32-bit Systems
    - Windows 8 for x64-based Systems
    - Windows 8.1 for 32-bit Systems
    - Windows 8.1 for x64-based Systems
    - Windows Server 2012
      (Windows Server 2012 Server Core installation not affected)
    - Windows Server 2012 R2
      (Windows Server 2012 R2 Server Core installation not affected)
    - Windows RT
    - Windows RT 8.1
  - Impact: Remote Code Execution
  - Version Number: 1.0
 
 
Important Security Bulletins
============================
 
Bulletin 3
 
  - Affected Software:
    - Windows Vista Service Pack 2
    - Windows Vista x64 Edition Service Pack 2
    - Windows Server 2008 for 32-bit Systems Service Pack 2
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for x64-based Systems Service Pack 2
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for Itanium-based Systems Service Pack 2
    - Windows 7 for 32-bit Systems Service Pack 1
    - Windows 7 for x64-based Systems Service Pack 1
    - Windows Server 2008 R2 for x64-based Systems Service Pack 1
      (Windows Server 2008 R2 Server Core installation affected)
    - Windows Server 2008 R2 for Itanium-based Systems Service
      Pack 1
    - Windows 8 for 32-bit Systems
    - Windows 8 for x64-based Systems
    - Windows 8.1 for 32-bit Systems
    - Windows 8.1 for x64-based Systems
    - Windows Server 2012
      (Windows Server 2012 Server Core installation affected)
    - Windows Server 2012 R2
      (Windows Server 2012 R2 Server Core installation affected)
    - Windows RT
    - Windows RT 8.1
  - Impact: Elevation of Privilege
  - Version Number: 1.0
 
Bulletin 4
 
  - Affected Software:
    - Windows Server 2003 Service Pack 2
    - Windows Server 2003 x64 Edition Service Pack 2
    - Windows Server 2003 with SP2 for Itanium-based Systems
    - Windows Vista Service Pack 2
    - Windows Vista x64 Edition Service Pack 2
    - Windows Server 2008 for 32-bit Systems Service Pack 2
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for x64-based Systems Service Pack 2
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for Itanium-based Systems Service Pack 2
    - Windows 7 for 32-bit Systems Service Pack 1
    - Windows 7 for x64-based Systems Service Pack 1
    - Windows Server 2008 R2 for x64-based Systems Service Pack 1
      (Windows Server 2008 R2 Server Core installation affected)
    - Windows Server 2008 R2 for Itanium-based Systems Service
      Pack 1
    - Windows 8 for 32-bit Systems
    - Windows 8 for x64-based Systems
    - Windows 8.1 for 32-bit Systems
    - Windows 8.1 for x64-based Systems
    - Windows Server 2012
      (Windows Server 2012 Server Core installation affected)
    - Windows Server 2012 R2
      (Windows Server 2012 R2 Server Core installation affected)
    - Windows RT
    - Windows RT 8.1
  - Impact: Elevation of Privilege
  - Version Number: 1.0
 
Bulletin 5
 
  - Affected Software:
    - Windows Vista Service Pack 2
    - Windows Vista x64 Edition Service Pack 2
    - Windows Server 2008 for 32-bit Systems Service Pack 2
      (Windows Server 2008 Server Core installation not affected)
    - Windows Server 2008 for x64-based Systems Service Pack 2
      (Windows Server 2008 Server Core installation not affected)
    - Windows 7 for 32-bit Systems Service Pack 1
    - Windows 7 for x64-based Systems Service Pack 1
    - Windows Server 2008 R2 for x64-based Systems Service Pack 1
      (Windows Server 2008 R2 Server Core installation not affected)
    - Windows 8 for 32-bit Systems
    - Windows 8 for x64-based Systems
    - Windows 8.1 for 32-bit Systems
    - Windows 8.1 for x64-based Systems
    - Windows Server 2012
      (Windows Server 2012 Server Core installation not affected)
    - Windows Server 2012 R2
      (Windows Server 2012 R2 Server Core installation not affected)
  - Impact: Elevation of Privilege
  - Version Number: 1.0
 
 
Moderate Security Bulletins
============================
 
Bulletin 6
 
  - Affected Software:
    - Microsoft Service Bus for Windows Server
  - Impact: Denial of Service
  - Version Number: 1.0
 
Daniel 

13 replies

Userlevel 7
That did not take too long for Microsoft to do an "About Face" regarding email notifications....  Good decision.
 
Thanks Daniel!
Userlevel 7
Badge +56
Yes it is I guess they didn't understand the new Canadian Anti-SPAM Law and they said they would stop it for everyone so there was many complaints..................... so they said it will continue as is! :)
 
Daniel :)
 
Userlevel 7
The following article is a update on Microsoft Notification
 
(Microsoft Issues New Advice on Defending Against Pass-the-Hash Attacks)
 
By:
By Mike Lennon on July 08, 2014 Microsoft on Tuesday released new guidance to help customers defend against credential theft stemming from Pass-the-Hash (PtH) attacks.
In a new white paper called Mitigating Pass-the-Hash and Other Credential Theft, version 2, Microsoft encourages IT professionals to “assume breach” to highlight the need for the use of holistic planning strategies and features in Microsoft Windows to become more resilient against credential theft attacks.
Microsoft describes Pass-the-Hash attacks as a technique in which an attacker captures account logon credentials on one computer and then uses those captured credentials to authenticate other computers over the network.
This latest 60-page report is a follow-up to a previously released report from Microsoft on guidance and mitigations for Pass-the-Hash attacks.
 
SecurityWeek/ Full Read Here/ http://www.securityweek.com/microsoft-issues-new-advice-defending-against-pass-hash-attacks
Userlevel 7
Badge +62

PATCH NOW: Microsoft swats 29 security bugs, Adobe closes hijack hole

Dear Windows Journal, today I got owned

By Shaun Nichols, 8 Jul 2014 Microsoft has released patches for 29 security vulnerabilities, while Adobe has released an update for Flash Player.
Redmond's latest Patch Tuesday batch is composed of six bulletins, two of which have been rated as critical updates. Three others have been rated important, and the sixth is considered a moderate risk.
 The critical bug fixes include:
  • Cumulative security update for Internet Explorer (2975687) Addressing 24 memory-corruption vulnerabilities, including remote-code execution flaws, in IE 6 to 11 on supported OS versions. The same holes in Windows Server editions are rated as moderate. Server 2008 for 32-bit Systems Service Pack 2, x64-based Systems Service Pack 2 and R2 for x64-based Systems Service Pack 1 are not affected, and neither are Server 2012 and 2012 R2. Some of the holes were revealed in this year's Pwn2Own hacking contest. None have otherwise been exploited in the wild.
  • Vulnerability in Windows Journal could allow remote-code execution (2975689) Addressing a remote-code execution flaw in the note-taking application, which could be exploited by specially crafted Journal files to hijack the system as the logged-in user. This affects Windows Vista, Server 2008, 7, Server 2008 R2, 8 and 8.1, Server 2012 and Server 2012 R2, and Windows RT and RT 8.1.
Full Article:
Userlevel 6
Oh boy PATCH TUESDAY, LOL!
 
Yes, it owns you, I found the updates earlier and they are still downloading and installing.
Userlevel 7
This is a matter of opinion ONLY, but I thought this should be a part of a previous post, so I merged it :)
 
Thanks Sherry!!!!  I know our usual Microsoft Guru Daniel is not available today so thank you for keeping us up to date!!!
Userlevel 6
1,3GB Updates for Windows and MS Office, and those are only the important ones which are automatically approved by WSUS :)
 
Userlevel 7
The following article is a update on Microsoft Notification
 
(Office Mix: Microsoft's new tool may revolutionize presentations)
 
By: By J. Peter Bruzzese | InfoWorld/ July 09, 2014
 
The PowerPoint add-on helps turn slideshows into interactive presentations with lots of bells and whistles
 
For years, I've worked with tools for creating online presentations, including TechSmith's Camtasia, Adobe's Captivate, and Articulate's Storyline. They do the job well, but they're not easy for many people to use, much less master.
So I was intrigued by Microsoft's new PowerPoint add-on, called Office Mix, that debuted in a public beta in May. Although it's touted as a "game-changer" for teachers (as evidenced by Microsoft's example gallery of "mixes" created with the tool), I saw Office Mix as a potentially useful tool for every enterprise.
 


 
InfoWorld/ Full Read Here/ http://www.infoworld.com/d/microsoft-windows/office-mix-microsofts-new-tool-may-revolutionize-presentations-245802
Userlevel 7
The following article is a update on Microsoft Notification
 
(Windows admins get new tools against pass-the-hash attacks)
 
By Roger A. Grimes | InfoWorld 

http://www.infoworld.com/sites/infoworld.com/files/media/image/password.jpg
Credit: iStockphoto
Last Patch Tuesday, Microsoft released security updates that brought some of the pass-the-hash (PtH) mitigations introduced in Windows Server 2012 R2 and Windows 8.1 to Windows Server 2008 R2 and Windows 7. This is great news for computer admins fighting the good fight against credential thieves.
[ Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Before we cover those mitigations -- and other techniques to frustrate hackers -- let's review how credential theft normally occurs:
  1. Bad guy gains admin access to one network computer
  2. Bad guy obtains the passwords (or Kerberos tickets) or password hashes to all the accounts on the local computer, including the local Administrator
  3. Bad guy uses local Administrator credentials to move to other computers sharing the same logon name and password, or simply uses the local user's credentials, if they belong to a privileged domain group (such as Domain Admins or Enterprise Admins)
  4. Bad guy obtains password hashes from domain controller
  5. Bad guy owns network and takes data at will
InfoWorld/ Full Read Here/ http://www.infoworld.com/d/security/windows-admins-get-new-tools-against-pass-the-hash-attacks-246198
Userlevel 7
The following article is a update on Microsoft Notification
 
(Microsoft hawks cheap hardware, stays mum on Windows 9)
 
By/
By Woody Leonhard | InfoWorld http://www.infoworld.com/sites/infoworld.com/files/media/image/Windows_New_hp.jpgWindows aficionados expecting (or at least hoping) for some insight about the next version of Windows were left wanting on the first-day keynotes at the Worldwide Partner Conference. Instead, they got more marketing palaver, a rah-rah refrain, and very nearly zero details.
As COO Kevin Turner said in the WPC keynote (fast-forward to 3:40 -- that's 3 hours, 40 minutes), "I don't have anything to say today about the next release of Microsoft Windows... This will be a great enterprise, world-class OS when it comes out. We will have some game-changing functionality in there for enterprise.... You'll be able to write that application once and have it run from smartphones to the largest screens imaginable, with a single developer API."
 
InforWorld/ Full Read Here/ http://www.infoworld.com/t/microsoft-windows/microsoft-hawks-cheap-hardware-stays-mum-windows-9-246175
 
Userlevel 7
The following article is a update on Microsoft Notification
 
(Choose bad passwords and reuse them often says Microsoft)
 
By Ian Barker Posted on July 16, 2014
 
Conventional security wisdom says that you should use complicated passwords which are impossible to remember and have a different one for each and every website that you visit.
However, a new paper published this month by Microsoft Research says we should go back to having a bad, easily remembered, password and using it on lots of sites. Okay, that's a bit of a simplification, but what the researchers are saying is that in order to be able to remember the difficult passwords for your bank, etc it's better to reuse simpler passwords on low-risk sites.
The report acknowledges the difficulties of having a large number of passwords and the benefits of reuse as a coping strategy. The authors say, "Despite violating long-standing password guidance, writing passwords down is, if properly done, increasingly accepted as a coping mechanism. Other strategies to cope with the human impossibility of using strong passwords everywhere without re-use include single sign-on, use of email-based password reset mechanisms, and password managers".
 
betanews/ full read here/ http://betanews.com/2014/07/16/choose-bad-passwords-and-reuse-them-often-says-microsoft/
Userlevel 7
(Microsoft may announce its biggest layoffs ever today)
 
By Stephen Lawson | IDG News Service
 
The action will be much bigger than the 5,800 job cuts announced in 2009, The New York Times reports
 
Microsoft reportedly will announce the biggest round of layoffs in its history today as massive changes wrought by new CEO Satya Nadella start to take hold at the struggling IT giant.
The layoffs, which have been expected amid Nadella's calls for transformation at Microsoft, will dwarf the 5,800 job cuts it announced in 2009, The New York Times reported Wednesday, citing unnamed sources briefed on the decision. It said human resources managers have reserved conference rooms for most of Thursday, presumably to meet with laid-off employees.
 
InfoWorld/ Full Read Here/ http://www.infoworld.com/d/the-industry-standard/microsoft-may-announce-its-biggest-layoffs-ever-today-246443
 
Userlevel 7
 
 (Microsoft's Bing launches 'right to be forgotten' form)
 
By  Helen Gaskell Published  July 17, 2014  

Microsoft's search engine Bing has followed Google in allowing Europeans to ask for pages to be removed from its online results, the BBC reported.
The move comes after a European court ruled in May, that Google could be held responsible for the type of personal data that appears on its results pages and that people had the "right to be forgotten" on the web.
 
The judgement was made when a case was brought by Mario Costeja González from Spain, after he failed to secure the deletion of an auction of his repossessed home from 1998 on a website of a mass circulation newspaper in Catalonia. He said Google's search results infringed his privacy.
 
itp.net/ Full Read Here/ http://www.itp.net/599097-microsofts-bing-launches-right-to-be-forgotten-form

Reply