Microsoft Security Bulletins For January 2014 overview
Welcome to the overview of Microsoft's January 2014 patch Tuesday. Microsoft has released a total of four bulletins on the first patch day of the year 2014, all of which have received the maximum severity rating of important.
A severity rating of important is the second-highest possible rating after critical. It means that at least one Microsoft product has received the severity rating, while others may have received the same rating, a lower rating, or none at all if they are not affected by the vulnerability.
The information below provide you with everything there is to know about the security patches and non-security patches that Microsoft has released this month, or after the last patch day.
We list the operating system and Office distribution so that you can easily look up the products that matter to you, provide you with a deployment guide, link to all security and non-security updates on the Microsoft website, and describe the various ways they can be downloaded and installed.
Operating System Distribution
Only two bulletins address issues in Microsoft server or client operating systems. Several operating systems, Windows Vista and all Windows 8 versions on the client side, and Windows Server 2008, Windows Server 2012 and Windows Server 2012 R2 on the server side are not affected at all this month.
All remaining operating systems, Windows XP and Windows 7 on the client side, and Windows Server 2003 and Windows Server 2008 R2 on the server side are affected by one of the bulletins only.
- Windows XP:Â 1 important
- Windows Vista: not affected
- Windows 7:Â 1 important
- Windows 8:Â not affected
- Windows 8.1: not affected
- Windows RT: not affected
- Windows RT 8.1:Â not affected
- Windows Server 2003: 1 important
- Windows Server 2008: not affected
- Windows Server 2008 R2: 1 important
- Windows Server 2012: not affected
- Windows Server 2012 R2: not affected
Office Distribution
One of the remaining two bulletins impacts all Microsoft Office versions. It is interesting to note that it affects them all in the same way.
Each Office version has received the same severity rating of important.
- Microsoft Office 2003: 1 important
- Microsoft Office 2007: 1 important
- Microsoft Office 2010:Â 1 important
- Microsoft Office 2013: 1 important
- Microsoft SharePoint Server 2010: 1 important
- Microsoft SharePoint Server 2013: 1 important
- Microsoft Office Web Apps 2010: 1 important
- Microsoft Office Web Apps 2013: 1 important
Deployment Guide
Microsoft releases a deployment guide each month that system administrators can use as a guideline for deployment.
The top priority this month is the MS14-002 vulnerability in Windows Kernel that could allow an elevation or privileges.
The company suggests the following deployment priority for this month's bulletins.
- Tier 1 updates: MS14-002 Kernel
- Tier 2 updates: MS14-001 Word, MS14-003 KMD
- Tier 3 updates: MS14-004 Dynamics AX
Security Bulletins
- MS14-001 - Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)
- MS14-002 - Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)
- MS14-003 - Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)
- MS14-004 - Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)
Other security-related information
- Windows Malicious Software Removal Tool - January 2014 (KB890830)/Windows Malicious Software Removal Tool - January 2014 (KB890830) - Internet Explorer Version
- Microsoft security advisory: Improperly issued digital certificates could allow spoofing -Â (KB2917500) - Security Update for Windows 8.1, Windows 8, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP
- Update for Vulnerabilities in Adobe Flash Player in Internet Explorer (revised) - (KB2755801)
- Re-release of MS13-081 for systems where the initial update failed on (MS13-081)
Non-security related updates
- Update for Windows 8.1, Windows RT 8.1, Windows 8, and Windows RT (KB2894853)
- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2904440)
- Windows RT, Windows 8, and Windows Server 2012 update rollup: January 2014 -Â (KB2911101) - Update for Windows 8, Windows RT, and Windows Server 2012
- Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: January 2014 - (KB2911106) - Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2913270)
- Update for Windows 7 and Windows Server 2008 R2 (KB2913431)
- Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2914220)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2917499)
- Screen turns black when it rotates from portrait orientation to landscape orientation in Windows - (KB2917993) - Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2
- Description of Windows SharePoint Services 3.0 SP3 and of Windows SharePoint Services 3.0 Language Pack SP3 - (KB2526305) - Windows SharePoint Services 3.0 Service Pack 3 x64 Edition
- Windows RT, Windows 8, and Windows Server 2012 update rollup: December 2013Â - (KB2903938) - Update for Windows 8, Windows RT, and Windows Server 2012
- Surface 2 prompts you for the BitLocker recovery key when you restart the device - (KB2921482) -Â Update for Windows RT 8.1
- AV_NULL_IP_BTHUSB!USBD_CreateHandle" Stop error on a Windows 8.1-based computer that has certain MediaTek drivers installed - (KB2917488) -Â Dynamic Update for Windows 8.1
- Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: November 2013 -Â (KB2887595) - Update for Windows 8.1
- Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: December 2013 - (KB2903939) - Update for Windows 8.1
How to download and install the January 2014 security updates
All security-related updates are available via Microsoft's Windows Update service which means that the updates will be delivered automatically to most home users.
Users who have blocked the automatic update feature can download the latest security updates and regular updates from Microsoft's Download Center website instead.
A DVD image containing all security updates of the month will also be made available soon.
It may make sense to download updates from Microsoft if they need to be deployed on multiple systems as it will save bandwidth in the progress.
It is alternatively possible to use third-party download tools to download all patches for Windows and other Microsoft products.
Additional information
- Microsoft Security Response Center blog on the 2014 Bulletin Release
- Microsoft Security Bulletin Summary for January 2014
- List of software updates for Microsoft products 2014
This update seems to have broken my Win8 Apps Store search. Apps and store work OK, but Store Search crashes. I think I’ve narrowed it down to the Flash update.
Thank you very much Martin for the monthly Microsoft Updates article :)
Has update KB2894853 been pulled? The link gives a page not found error and I have not received the update.
“It is alternatively possible to use third-party download tools to download all patches for Windows and other Microsoft products.’
I’m going to look into that.
I have an update that will not install.
Perhaps another way would help.
Well, it installs then after a restart, it says failed.
I’ve looked into a remedy for as long as I have patience for.
I’ve been using Bitdefender Antivirus (paid version) for my updates. One click and it notifies you of the updates, another click downloads and installs. Done.
Sorry for shameful plug.
Who knows :-( BTW, now that I’ve installed, I’ve noticed this one among the updates:
http://support.microsoft.com/kb/2862330
I’m not sure whether it should be mentioned in your article.
It is mentioned. It is a re-release of the update.
Ah, I missed it because the text in parenthesis in
“Re-release of MS13-081 for systems where the initial update failed on (MS13-081)”
mentions (again) the “MS number”, not the KB one (as, at a glance, all the other entries do), so a search for “2862330” yielded nothing.
PS: BTW, my message was a reply to #comment-1928221 but it ended up “alone”. If you can re-establish the correct threading, that would be good. Or, given that it was almost a spurious report, you can just remove the message and the two replies (the one by you and this one) :-).
Thanks Martin, With helping me like every mount with the Microsoft monthly operating system and Microsoft office, etc. updates.
This mount a absolute record low with only 4 updates for main windows 7 system, I could not believe main eyes
Hi Martin,
one thing I’ve always wondered is why Windows Update doesn’t notify immediately of the new updates. Attackers *know* that vulnerabilities are made known on the second Tuesday of the month, so any delay in applying the corresponding patches means leaving the system completely exposed.
Good point. I do not really know why that is the case either.
I don’t know for other Windows versions, but I think Windows XP with Automatic Updates enabled checks for new updates every 72 hours. The user or other programs may “force” more checks (for example, Microsoft Security Essentials may force AU to get updates, so it gets newer definitions).
I think the Microsoft’s servers can’t handle the load, so the updates take a couple of days to be distributed.
I have blue screens on start up after installing Windows Updates.BlueScreenView says the culprit is nvlddmkm.sys.I guess one of the Windows updates (kb2914368 or kb2913602) is in conflict with that Nvidia driver.
I had issues with Video being glitchy after install of kb2914368. I have since removed it and am back to normal.
No Internet Explorer related Cumulative Update yet still I lost my whole IE history etc… Really annoying…