Welcome to this month's overview of security bulletins and updates for Microsoft Windows, Office, and other Microsoft products.
This is the first month after end of support for the popular Windows XP operating system. Microsoft did release a patch for Windows XP after end of support to address a security issue in Internet Explorer, but made it clear that this was an exemption rather than something that XP users should get used to.
The company will reveal a total of eight security bulletins this month addressing vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Server Software, Productivity Software and the Microsoft's Net Framework.
Two of the bulletins have received the highest severity rating of critical, while the remaining six one of important.
Below you find all relevant information about those updates and additional updates that Microsoft released since April's Patch Day.
Executive Summary
- A total of eight security bulletins are released that address 13 vulnerabilities across all products.
- Affected products include the Windows operating system, Office and server software.
- Two bulletins have received the highest severity rating of critical.
- The top deployment priorities are MS14-024, MS14-025 and MS14-029.
Video Summary
Not yet released.
Operating System Distribution
All desktop-based Windows operating systems are affected by the same vulnerabilities. All are affected by one critical and three important bulletins.
The exception here is Windows RT which is only affected by one critical and two important bulletins.
On the server side of things, we see a similar picture. All server-based operating systems with the exception of Windows Server 2003 are affected by five bulletins of which four are rated important. Windows Server 2003 is only affected by three bulletins of which two have received the important rating.
Add one additional critical bulletin to all desktop operating systems and one additional moderate bulletin to all server operating systems for the out of band MS14-021 release.
- Windows Vista: 1 critical, 3 important
- Windows 7: 1 critical, 3 important
- Windows 8: 1 critical, 3 important
- Windows 8.1: 1 critical, 3 important
- Windows RT: 1 critical, 2 important
- Windows RT 8.1: 1 critical, 2 important
- Windows Server 2003: 2 important, 1 moderate
- Windows Server 2008: 4 important, 1 moderate
- Windows Server 2008 R2: 4 important, 1 moderate
- Windows Server 2012: 4 important, 1 moderate
- Windows Server 2012 R2: 4 important, 1 moderate
- Server Core installation: 3 important
Other Microsoft Product Distribution
Two bulletins affect all Office products, and all are affected by two bulletins rated important. The same is true for all affected SharePoint Server and Office Web Apps products, only that they are affected by one critical bulletin each.
- Microsoft Office 2007: 2 important
- Microsoft Office 2010: 2 important
- Microsoft Office 2013: 2 important
- Microsoft Office 2013 RT: 2 important
- Microsoft SharePoint Server 2007: 1 critical
- Microsoft SharePoint Server 2010: 1 critical
- Microsoft SharePoint Server 2013: 1 critical
- Microsoft Office Web Apps 2010: 1 critical
- Microsoft Office Web Apps 2013: 1 critical
- SharePoint Server 2013 Client Components SDK: 1 critical
- Microsoft SharePoint Designer 2007 - 2013: 1 critical
Deployment Guide
Microsoft publishes an official deployment guide each month that suggests a deployment priority for all bulletins it released in that month.
It is by no means mandatory to follow the guide, but since bulletin severity levels, known exploits and attacks, are taken into account, it is usually the way to go as the most severe issues will get patched as soon as possible.
Not yet released. Microsoft recommends to concentrate on MS14-024, MS14-025 and MS14-029 first.
Security Bulletins
The following bulletins have been released in May 2014. Use the links to open the bulletins on Microsoft's website.
- MS14-021 - (Released out-of-band on May 1, 2014) - Security Update for Internet Explorer (2965111) - Critical - Remote Code Execution
- MS14-029 - Security Update for Internet Explorer (2962482) - Critical - Remote Code Execution
- MS14-022 -Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166) - Critical- Remote Code Execution
- MS14-023 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037) - Important - Remote Code Execution
- MS14-025 - Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486) - Important - Elevation of Privileges
- MS14-026 -Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - - Important - Elevation of Privileges
- MS14-027 -Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) - - Important - Elevation of Privileges
- MS14-028 -Vulnerability in iSCSI Could Allow Denial of Service (2962485) - Important - Denial of Service
- MS14-024 -Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) - Important - Security Feature Bypass
Security related updates
Microsoft has released security updates to existing bulletins or products as well. You find those listed in this section.
- Security Update for Windows 8.1 and Windows RT 8.1 (KB2962140)
- Security Update for Windows 8.1 and Windows RT 8.1 (KB2964757) without KB2919355
- MS14-018: Security Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2919355)
- MS14-021: Security Update for Internet Explorer (KB2964358)
- MS14-021: Security Update for Internet Explorer (KB2964444)
- Security Update for Internet Explorer Flash Player for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, and Windows Server 2012 (KB2961887)
- MS14-018: Security Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2919355)
Security Advisories
Microsoft has released the following security advisories.
- Security Advisory 2871997 update for Windows 8 and windows Server 2012.
- Security Advisory 2960358 disables Rivest Cipher 4 in Transport Layer Security (TLS).
- Security Advisory 2962824 revokes digital signature for a specific UEFI module.
- Security Advisory 2755801 updates Adobe Flash Player in Internet Explorer.
Non-security related updates
This list highlights non-security related updates for various Microsoft products.
Update for Windows Server 2008 R2 x64 Edition (KB2852386)
Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2920540)
Update for Windows 8.1 (KB2932074)
Update for Windows 8.1 and Windows 7 (KB2932354)
Update for Windows Server 2008 R2 (KB2934950)
Update for Windows Server 2008 R2 (KB2934953)
Update for Windows Server 2012 Essentials (KB2934957)
Update for Windows 8 and Windows RT (KB2938459)
Update for Windows 8.1, Windows RT 8.1, Windows 8, and Windows RT (KB2939153)
Update for Windows 8.1 and Windows Server 2012 R2 (KB2950153)
Update for .NET Native on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2954879)
Update for Windows 8, Windows RT, and Windows Server 2012 (KB2955163)
Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2955164)
Update for Windows 8, Windows RT, and Windows Server 2012 (KB2956037)
Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2956575)
Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2958262)
Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2958263)
Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2958265)
Update for Windows 8.1 and Windows Server 2012 R2 (KB2965065)
Windows Malicious Software Removal Tool - May 2014 (KB890830)/Windows Malicious Software Removal Tool - May 2014 (KB890830) - Internet Explorer Version
System Update Readiness Tool for Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista (KB947821) [May 2014]
Update for Windows 8 (KB2802618)
Internet Explorer 11 for Windows 7 and Windows Server 2008 R2 (KB2841134)
Update for Windows 8, Windows RT, and Windows Server 2012 (KB2934016)
Update for Windows 8 and Windows RT (KB2957026)
Update for Windows 7 (KB2952664)
Internet Explorer 11 for Windows 7 and Windows Server 2008 R2 (KB2841134)
Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2959977)
Update for Windows 7 (KB2952664)
Update for Windows 8 and Windows RT (KB2957026)
Update for Windows Server 2012 R2 (KB2919394)
Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2928680)
How to download and install the May 2014 security updates
You do not need to do anything if you have configured your Windows system to update automatically. If you have not changed update related settings, that is how this month's updates will be delivered to the PC system.
It is recommended that you check for updates manually to reduce the time it takes for the system to pick up the updates. To do so, tap on the Windows-key, enter Windows Update, and select the entry from the results. Here you need to click on the check for updates option to run a manual scan for updates.
Alternatives include downloading all security patches from Microsoft's Download Center either individually or as monthly security ISO images. Check out this page linking to all previously released security ISO images.
Check out our in-depth Windows update guide that explains everything in detail.
Additional information
- Microsoft Security Response Center blog on the 2014 Bulletin Release
- Microsoft Security Bulletin Summary for May 2014
- List of software updates for Microsoft products 2014
Thanks.
Dear Microsoft
Please can you release the Knowledge Base articles the same time you release the updates so people don't just get the "Oops! The page you are looking for may have a new location, or is no longer available." error message.
Sincerely
EVERYONE!
I'm using an XP laptop and just received an automatic update offer for the MS Malicious Software Removal Tool! I have always refused to install this tool because the privacy policy is akin to the NSA's. Maybe that's why Microsoft offered this update, and not the others. Or they believe people on XP don't have third-party security software installed? Anyway, support for XP is not ended. Or something.
The Malicious Software Removal Tool (MSRT) will be updated and available monthly for XP users until June 2015 (the same date as Microsoft Security Essentials definitions updates for XP).
As far as I know, that tool only reports to Microsoft if an infection is found, and you can disable that with a registry setting.
Microsoft just offered Security Update CAPICOM (KB931906) on my XP. So they ARE still offering XP updates. This update may be related to MS Security Essentials, not sure. I don't have Security Essentials installed on my computer. I haven't been able to find out very much about this update, but I'll install it since it sounds like a very serious threat could occur. I don't know why Microsoft would offer this update to computers that don't have Security Essentials installed, if this update is for it.
The Malicious Software Removal Tool's agreement says something about Microsoft being able to watch your computer anytime after the tool is run without your knowledge. See it in the license agreement that maybe no one really reads.
Well according to this page, it has been released in 2007: https://www.microsoft.com/en-us/download/details.aspx?id=3207
Yes, and also it's for Service Pack 2. I have SP3. Crazy - 2007?!