Yesterday was the second Tuesday of the month, Microsoft’s customary day to unleash its latest batch of updates, fixes, patches, and so forth. The October 14 collection included 30 mandatory items on my Windows 8.1 and Office 2013 equipped desktops and notebooks, along with at least one optional item as well (a fix to avoid an unwanted camera switch on PCs with more than one camera attached: this usually means a tablet or mobile device with cameras fore and aft). Eight bulletins were released to address a total of 24 vulnerabilities that touch upon most modern Windows versions (server and desktop), the MS .NET Framework, MS Office, and most versions of Internet Explorer. The most current Security Bulletin Summary provides all the gory details, but I am coming to really appreciate the “summary graphic” from the talented art staff at ghacks.net which released this gem yesterday afternoon:
Most exploitable items are numbered zero; otherwise, bulletins are ranked by severity. Lots of action — and restart items — here.
The bulletins of greatest interest appear at the top of this very informative table:
- MS14-056: Critical: Cumulative Security Update for Internet Explorer (KB2987107)
- MS14-057: Critical: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (KB3000414)
- MS14-058: Critical: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (KB3000061)
Microsoft also release three security advisories worth digging into this month as well — namely:
- 2871997 Update to Improve Credentials Protection and Management: designed to enhance and improve credentials protection and domain authentication controls to help reduce credential theft for Windows 7 and 8.1 versions plus Windows Server versions 2008 R2, 2012, and 2012 R2.
- 2949927 Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2: adds support for SHA-2 signing and verification functionality (not needed in Windows 8 and Server 2012 versions; already included therein).
- 2977292 Update for Microsoft EAP that enables the Use of TLS: Update to the MS Extensible Authentication Protocol (EAP) to enable use of TLS 1.1 or 1.2 through system registry modifications. Works for all modern Windows versions (7 and up on the desktop; 2008 R2 and 2012 on the server).
Admins planning for update deployments should also ponder the security advisories as well, and plan their next scheduled deployments as soon as their testing and open time slots will permit. There’s some important stuff in here!