July 2014 Security Bulletin Release

Many around the globe have been following the 2014 FIFA World Cup Brazil™ closely. Regardless of which country you are supporting, many folks have been impressed by the defensive display put on by keeper Tim Howard in a loss against Belgium. It was a great performance highlighting a strong defense – always a good thing to have, be it on the pitch or on your system.

This month’s release includes six new security bulletins, addressing 29 Common Vulnerability and Exposures (CVEs) in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, three are rated Important, and one rated Moderate in severity. As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the Windows Journal and Internet Explorer (IE) updates be on the top of your list.

If you are looking for additional resources to help you prioritize, take a look at our recently released myBulletins security bulletins customization free online service. myBulletins enables you to quickly find security bulletins using advanced search and filtering options. The service also provides a dynamic list in a customizable dashboard that can be edited at any time, as well as downloaded to a Microsoft Excel report. Give it a try, and let us know what you think by using the site feedback link.

Here’s an overview of all of the updates released today:

Click to enlarge

*Bulletins in each deployment priority are listed in numerical order by bulletin number

The security bulletin for Windows Journal addresses one privately reported CVE that could allow an attacker to execute code on your system if you open a malicious Windows Journal file. It’s worth noting that Windows Server versions do not have Windows Journal installed by default. That’s by design. You are always at less risk when you have fewer applications installed, so server systems ship with many optional components disabled. If you haven’t reviewed the applications installed on your server recently, now is a good time to do so. Reducing the attack surface will have a positive impact on the overall security of the server.

The ongoing diligent work from our Internet Explorer team continues this month, with the security bulletin for Internet Explorer addressing a total of 24 CVEs. The most critical of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal. Similar to last month, we have not seen any active attacks attempting to exploit any of the CVEs addressed by this security bulletin – or any of the other issues we addressed this month. Addressing these items before there is any customer impact from attacks remains our goal with security bulletins.

To ensure you have our latest protections while browsing the Internet, you should really upgrade to the latest version of Internet Explorer. For Windows 7 and Windows 8.1, that means Internet Explorer 11 – the most modern, secure browser we have built. Internet Explorer 11 has advanced security features like Enhanced Protection Mode (EPM) and SmartScreen Filter, support for modern web standards, and Enterprise Mode for rendering legacy web apps. Internet Explorer 11 is much more secure than our older versions, which is why we encourage customers to upgrade.

We also have three advisories to address today. The first is a revision to the Update to Improve Credentials Protection and Management. This new package changes the default behavior for Restricted Admin mode on Windows 8.1 and Windows Server 2012 R2. This advisory deals with different strategies for combating credential theft, which is a hot topic today. Patrick Jungles (lead author) and team have a new whitepaper discussing ways to defend against pass-the-hash style attacks, and there is a new web resource that covers various techniques and tactics to help prevent different types of credential theft attacks. Implementing these tactics before they are needed is another way to positively impact the overall security posture in an enterprise.

The Update for Disabling RC4 in .NET TLS has been revised as well. This update was revised to announce a Microsoft Update Catalog detection change for the updates requiring installation of the 2868725 prerequisite update. If you have already successfully installed this update, then you don’t need to take any further action.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-17. For more information about this update, including download links, see Microsoft Knowledge Base Article 2974008.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page. Watch the bulletin overview video below for a brief summary of today's releases.

Jonathan Ness and I will host the monthly security bulletin webcast, scheduled for Wednesday, July 9, 2014, at 11 a.m. PDT. There’s no longer a need to register before this event to attend. You can find details on how to view the webcast and get a calendar reminder here. I invite you to tune in to learn more about this month’s security bulletins.

I look forward to hearing any questions about this month’s release during our webcast tomorrow.

For all the latest information, you can also follow us at @MSFTSecResponse.

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing