The May 2014 Security Updates

Today, we released eight security bulletins – two rated Critical and six rated Important – to address 13 Common Vulnerability & Exposures (CVEs) in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on MS14-024, MS14-025 and MS14-029.

We also have some new security advisories releasing today. Security Advisory 2871997 provides an update for Windows 8 and Windows Server 2012 that enhances credential protection and domain authentication controls to reduce credential theft by making specific improvements. These features are currently available in Windows 8.1 and Windows Server 2012 R2, and we are making them available for other platforms.

The .NET Framework update provided by Security Advisory 2960358 disables Rivest Cipher 4 (RC4) in Transport Layer Security (TLS). This is similar to what we did with Security Advisory 2868725 back in November, 2013. The only difference here is this month’s advisory is specific to the .NET Framework.

The last of the new advisories is Security Advisory 2962824. This update revokes the digital signature for a specific Unified Extensible Firmware Interface (UEFI) module.  Although we are not currently aware of any customer impact, we’re taking this step out of an abundance of caution as a part of our ongoing efforts to provide the best customer protections available. If you are not running a system that supports UEFI Secure Boot or you have it disabled, there is no risk, and no action for you to take.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-14. For more information about this update, including download links, see Microsoft Knowledge Base Article 2957151.

For those wondering, Windows XP will not be receiving any security updates today. For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move. For more information, see the Windows Experience Blog.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploit Index (XI), a full description is found here.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, May 14, 2014, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing