Safer Internet Day 2014 and Our February 2014 Security Updates

In addition to today being the security update release, February 11 is officially Safer Internet Day for 2014. This year, we’re asking folks to Do 1 Thing to stay safer online. While you may expect my “Do 1 Thing” recommendation would be to apply security updates, I’m guessing that for readers of this blog, that request would be redundant. Instead, I’ll ask that you also install the latest version of the Enhanced Mitigation Experience Toolkit (EMET). If you aren’t familiar with EMET, the utility helps prevent vulnerabilities from being successfully exploited by using security mitigation technologies built into the operating system. EMET doesn’t guarantee that vulnerabilities cannot be exploited, but it works to make exploitation as difficult as possible and is a great addition to any layered defense.

If you choose to install EMET as part of Safer Internet Day, you won’t just be making a difference on your own systems, you can also help a great non-profit organization. Starting today, when you share your promise to create a better Internet or participate in selected social media activities, Microsoft will make a donation to TechSoup Global – a nonprofit organization using technology to solve global problems and foster social change.

Now let’s get back to that other “One Thing” – This month, we’re releasing seven updates, four rated Critical and three rated Important, addressing 31 unique CVEs in Microsoft Windows, Internet Explorer, .NET Framework and Forefront Protection for Exchange. Here’s an overview of this month’s release:

Click to enlarge

Our top deployment priorities for this month are MS14-007, MS14-010 and MS14-011, which address issues in Microsoft Windows Direct2D, Internet Explorer, and the VBScript Scripting Engine.

MS14-007 | Vulnerability in Direct2D Could Allow Remote Code Execution  
This update addresses a privately reported vulnerability in the Microsoft Windows Direct2D component. The vulnerability could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer.

MS14-010 | Cumulative Security Update for Internet Explorer   
This cumulative update addresses one public and 23 privately disclosed issues in Internet Explorer. It’s important to remember that this is still just one update. Our guidance to customers does not change based on the number of CVEs contained in a single Internet Explorer update. An attacker who successfully exploited the most severe of these issues could execute code at the level of the logged on user. Customers who deploy this update will be protected from that scenario.

MS14-011 | Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution  
This update addresses a privately reported vulnerability in the VBScript scripting engine within Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Although this update and MS14-007 have similar exploit vectors to the update for Internet Explorer, these issues actually reside in Windows components – not Internet Explorer. This update also shares a CVE with the MS14-010 update for Internet Explorer as the VBScript scripting engine was included in Internet Explorer 9.

We’ve mentioned it several times before, but in case you missed it, we revised Security Advisory 2862973 today to provide the update through automatic updates. We originally released this update last August to allow for testing, as the update will impact applications and services using certificates with the MD5 hashing algorithm. If you have already applied the update, you won’t need to take any additional action. If you haven’t applied this update yet, you can do so through automatic updates.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, February 12, 2014, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

I encourage you to consider what “one thing” you can do to improve your internet safety, and I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing