A Look Into the Future and the January 2014 Bulletin Release

In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, “Prediction is very difficult, especially if it’s about the future.” However, I can say without a doubt that change is afoot in 2014.

In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973, and the update goes out through Microsoft Update on the 11th. This will impact applications and services using certificates with the MD5 hashing algorithm and will apply only to certificates utilized for server authentication, code signing and time stamping. The restriction is limited to certificates issued under roots in the Microsoft root certificate program.

Support for Windows XP comes to an end in April. There has already been much written about this auspicious event, so I won’t rehash it all here. Of course, we realize that just because support is ending, it does not mean XP usage will – much to the delight of attackers around the world. I’m not sure if it’s possible to have fond memories of an operating system, but XP will always maintain a warm place in my heart – just not on my laptop.

June brings changes to the Windows Authenticode verification function. This affects developers more than consumers, but it’s an important change. Once implemented, certain programs will be considered "unsigned" if Windows identifies content that does not conform to the Authenticode specification. You can read all about this change in Security Advisory 2915720 and over on the SRD blog.

Some things will remain the same. Sun or snow, we will still be here every second Tuesday of the month to bring you the latest security updates. This month, we’re releasing four security bulletins addressing six unique CVEs in Microsoft Windows, Office, and Dynamics AX.  All updates this month are rated Important. Here’s on overview of this month’s release:

Click to embiggen


Our top deployment priority for this month is MS14-002, which addresses a publicly known issue in the Windows Kernel.

MS14-002 | Vulnerability in Windows Kernel Could Allow Elevation of Privilege This bulletin addresses the issue first described in Security Advisory 2918840, which allows an attacker to perform an elevation of privilege if they are able to log on to a system and run a specially crafted application. We are aware of targeted attacks using this vulnerability, where attackers attempts to lure someone into opening a specially crafted PDF to access the system. Even when we first saw this, the PDF portion of the attack did not affect those with a fully updated system.

We’re also re-releasing MS13-081 to provide a re-offering of KB2862330 for Windows 7 and Windows Server 2008 R2. The re-released update addresses an issue in the original offering that caused the KB2862330 update to fail or only partially install on some systems with third-party USB drivers. If you are running an affected system, you will be re-offered the new update and we encourage you to install it at the earliest opportunity.

Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-02. For more information about this update, including download links, see Microsoft Knowledge Base Article 2916626.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, January 15, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thanks, Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing