Today, as part of Update Tuesday, we released eight security updates – three rated Critical and five rated Important – to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first.
Here’s an overview slide and video of the security updates released today:
For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate XI, a full description is found here.
We released three security advisories this month:
- Update to Improve Credentials Protection and Management (2871997)
- Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008R (2949927)
- Update for Microsoft EAP Implementation that Enables the Use of TLS (2977292)
We also revised Security Bulletin MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) and Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.
Today, Microsoft also announced upcoming updates to the out-of-date ActiveX control blocking feature. Beginning November 11, 2014, the out-of-date ActiveX control blocking feature will automatically be expanded to block outdated versions of Silverlight, in addition to outdated versions of Java. It is also being expanded to support Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008 SP2. For more information on this, please visit the IEBlog.
Watch our bulletin webcast tomorrow, Wednesday, October 15, 2014, at 11 a.m. PDT.
For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.
Tracey Pretorius, Director,