Microsoft Security Bulletins For October 2014
Welcome to the Microsoft's October 2014 Patch Day overview. It provides an in-depth analysis and information about all security bulletins and updates that Microsoft released for its products since the September patch day.
Microsoft released eight security bulletins this month fixing a total of 24 vulnerabilities in company products such as the Microsoft Windows operating system, Internet Explorer or Microsoft Office.
Three of the bulletins have received the highest severity rating of critical and five the second highest rating of important.
You find details about those patches below including a video summary by Microsoft, distribution of updates as well as deployment and download information.
Microsoft announced today that it will add outdated versions of Silverlight to the out-of-date ActiveX control blocking feature starting November 11, 2014. All versions of Silverlight older than Silverlight 5.1.30514.0 are affected by this.
Executive Summary
- A total of eight bulletins have been released on this patch day that fix a total of 24 vulnerabilities.
- Affected products include Microsoft Windows, Microsoft .Net Framework, Microsoft Office and Internet Explorer.
- Three of the nine bulletins received the highest severity rating critical.
- Microsoft suggests to deploy the bulletins MS14-056, MS14-057 and MS14-058 first (the three critical ones).
Video Summary
Operating System Distribution
As far as client operating systems are concerned, all but Windows Vista are affected by three critical and one important bulletin. Windows Vista in addition to that is affected by another important rated bulletin.
Windows Server 2003 and Windows Server 2008 are affected by two critical, two important and 1 moderate bulletin, while all other server operating systems are affected by two critical, one important and moderate bulletin.
- Windows Vista: 3 critical, 2 important
- Windows 7:Â Â 3 critical, 1 important
- Windows 8:Â 3 critical, 1 important
- Windows 8.1: 3 critical, 1 important
- Windows RT: 3 critical, 1 important
- Windows RT 8.1:Â 3 critical, 1 important
- Windows Server 2003: 2 critical, 2 important, 1 moderate
- Windows Server 2008: 2 critical, 2 important, 1 moderate
- Windows Server 2008 R2: 2 critical, 1 important, 1 moderate
- Windows Server 2012: 2 critical, 1 important, 1 moderate
- Windows Server 2012 R2: 2 critical, 1 important, 1 moderate
- Server Core installation: 2 critical, 1 important
Other Microsoft Product Distribution
- Microsoft Office 2007: 1 important
- Microsoft Office 2010: 1 important
- Microsoft Office for Mac: 1 important
- Microsoft Office Compatibility Pack: 1 important
- Microsoft SharePoint Server 2010: 1 important
- Microsoft Office Web Apps 2010: 1 important
- ASP .NET MVC: 1 important
Deployment Guide
The suggested deployment priority for the October 2014 is to deploy all three critical vulnerabilities with the highest priority, followed by vulnerabilities MS14-060 and MS14-061 that address issues in OLE and Word second.
- Tier 1: MS14-056 Internet Explorer, MS14-057 .Net Framework and MS14-058 KMD (all critical)
- Tier 2: MS14-06 OLE, MS14-061 Microsoft Word (all important)
- Tier 3: MS14-059 ASP.NET, MS14-062 Message Queuing, MS14-063 Fat32
Security Bulletins
MS14-056 - Cumulative Security Update for Internet Explorer (2987107) - critical - remote code execution
MS14-057 - Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) - critical - remote code execution
MS14-058 - Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - critical - remote code execution
MS14-059 - Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) - important - security feature bypass
MS14-060 - Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - important - remote code execution
MS14-061 - Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) - important - remote code execution
MS14-062 - Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - important - elevation of privilege
MS14-063 - Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) - important - remote code execution
Security Advisories
Microsoft has released three security advisories this month.
- Update to Improve Credentials Protection and Management (2871997) - This update improves "credential protection and domain authentication controls to reduce credential theft".
- Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 (2949927) - This adds support for SHA-2 signing and verification functionality.
- Update for Microsoft EAP Implementation that Enables the Use of TLS (2977292) - Enables the use of Transport Layer Security (TLS) 1.1 or 1.2 through the modification of the system registry.
Non-security related updates
- Update for Windows 7 - Compatibility update for upgrading Windows 7 (KB2952664)
- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2989542)
- Update for Windows 7 and Windows Server 2008 R2 (KB2994023)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2995387)
- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2995388)
- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2998174)
- Update for Windows 7 and Windows Server 2008 R2 (KB2998812)
- Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2 (KB3000988)
- Windows Malicious Software Removal Tool - October 2014 (KB890830)/Windows Malicious Software Removal Tool - October 2014 (KB890830) - Internet Explorer Version
- Update for Windows 7 and Windows Server 2008 R2 - Update to support the new currency symbol for the Russian ruble in Windows (KB2970228)
- Update for Windows 8, Windows RT, and Windows Server 2012 - August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012 (KB2975331)
- Update for Windows 8, Windows RT, and Windows Server 2012 - September 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012 (KB2984005)
- Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 - September 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (KB2984006)
- Update for Microsoft .NET Framework 3.5 - Update for .NET Framework 3.5 on Windows Server 2012 R2, and Windows Server 2012, Windows 8.1, and Windows 8 (KB3005628)
- Update for Windows 7 - September 2014 update for DVD playback in Windows 7 SP1 (KB3001554)
- Update for Windows 8.1 - Some versions of the OneDrive desktop app for Windows do not update automatically (KB2990967)
- Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP Embedded - A September 2014 time zone update for Russia is available (KB2998527)
How to download and install the October 2014 security updates
The October 2014 security patches are made available via Windows Update to all systems running client or server based versions of Windows.
If automatic updates is enabled, the updates will be downloaded automatically to the system once the system picks them up.
It may still be a good idea to check for updates manually as it may take some time after the release before they get downloaded to the system automatically.
- Tap on the Windows-key, type Windows Update and select the result from the list displayed to you.
- There you need to click on check for updates to run a manual update check.
Microsoft will make the updates available on the Microsoft Download Center as well for manual download and in form of monthly security ISO images.
Additional information
- Microsoft Security Response Center blog on the 2014 Bulletin Release
- Microsoft Security Bulletin Summary for October 2014
- List of software updates for Microsoft products 2014
- Our in-depth update guide for Windows
I had some problems with KB2949927.After installation it was offered again and again,so
I manually downloaded and installed that update and now everything is OK.
I could not install this update. Someone help me, thanks!
I downloaded KB2949927 from Microsoft site and installed it.
http://www.microsoft.com/en-US/download/details.aspx?id=44366
See here :
KB2949927 fails to install…
https://social.technet.microsoft.com/Forums/en-US/bc191121-94ab-483f-ae9f-d5056ca3aae5/kb2949927-fails-to-install-if-bitlocker-fvevol-service-is-disabled?forum=w7itproinstall
Microsoft Removes KB2949927 Botched Windows 7 Update
http://news.softpedia.com/news/Microsoft-Removes-KB2949927-Botched-Windows-7-Update-462493.shtml
Here the Update for Windows 7 – Compatibility update for upgrading Windows 7 (KB2952664) failed to install with error code = 80242016. This error code is said to be related to a possible connection failure. Has anyone else encountered this issue? I’ve restarted Windows Update but missing KB2952664 is (still) not proposed. First time I encounter a WinUpdate failure.
Yes, I too had KB2952664 fail to install with error code 80242016.
I also restarted Windows Update with the exact same results as you experienced.
How do I resolve this issue?
I”m running Win. 7 x64 SP1. All updates and patches are current.
From what I’ve read of users’ experiences with failed Windows Updates, either retry as you and I have, or wait for next automatic update (if applicable). Tomorrow morning (with auto update at 03:00 AM) I should be settled.
KB2952664 is a non-security related update, fortunately. I am truly puzzled, especially should the missed update not be handled. As I understand it, error code 80242016 includes several causes, and it may well have been a problem on MS servers’ side, you and I and others in the narrow connection issue. Maybe …
I confirm the issue. I tried to fix it following the “Fix it” guide which opens clicking the link on Display Details (list installed updates) but didn’t work. Also Installing manually the patch (I found a download link searching the WEB) failed (maybe I found an old version of the patch). Probably the best is to wait MS. Also for me is the first time WU failed… :-(
I assume this update addresses the Vista-to-8.1 flaw mentioned in the “Sandworm Group” hacking story? http://www.reuters.com/article/2014/10/14/us-russia-hackers-idUSKCN0I308F20141014
Does any geek know what is the KB2920189 security update from May12 2014 .Since 2 weeks ago my 360 Total Security recomends me it.
I cannot find anything sensible about it on google ,apart from it is about UEFI and has no security bulletin .
I am asking because I remember there were some patches worse then problems supposed to be corrected= so should I install this one ?
Hi, Martin, I try to contact you by email: but the email is error, sent failed.
How can I contact you? thanks!
Try the contact form here on the site.
Hi, martin, I did it, do you copy the email?
About failed update kb 2952664.
Go to Control Panel\All Control Panel Items\Programs and Features
Click on View Installed Updates and search for KB 2952664 (it is under -Microsoft Windows-.
Right click and Uninstall.
Restart.
Look again for Windows Updates. KB 2954526 will present itself again.
Install it.
I was successful. Case closed.
Well, thanks a lot for the “tip”, Ananda. It worked perfectly well.
I wouldn’t have imagined that a Windows failed Update be registered within the installed Updates. Good to know.
Many Thanks’ Ananda… followed your recommendation (to the letter) with the exception of going directly to Uninstall (on my system Window 7) followed the restart, and whizz-bang ~ Update installed perfectly (with Anti-Virus closed for the download).
“Wish everything was as simple as following your instructions.”
Can definitely say that if anyone has the same problems getting this update installed (when it’s actually not!) then would certainly recommend Ananda’s procedures.
Thanks’ again.