Microsoft Security Response Center Blog

December 2014 Updates

Tuesday, December 09, 2014

Today, as part of Update Tuesday, we released seven security updates – three rated Critical and four rated Important in severity, to address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange. We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage.

• Exchange
• Internet Explorer
• Microsoft Windows
• Office
• Security Bulletin
• Security Update

Advance Notification Service for the December 2014 Security Bulletin Release

Thursday, December 04, 2014

Today, we provide advance notificationfor the release of seven Security Bulletins. Three of these updates are rated Critical and four are rated as Important in severity. These updates are for Microsoft Windows, Internet Explorer (IE), Office and Exchange. As per our monthly process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, December 9, 2014, at approximately 10 a.

• ANS
• Exchange
• IE
• Internet Explorer
• Microsoft Windows
• Office

Security Bulletin MS14-068 released

Wednesday, November 19, 2014

Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows. We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

• OOB
• Security Bulletin
• Windows

Additional information about CVE-2014-6324

Tuesday, November 18, 2014

Today Microsoft released update MS14-068 to address CVE-2014-6324, a Windows Kerberos implementation elevation of privilege vulnerability that is being exploited in-the-wild in limited, targeted attacks. The goal of this blog post is to provide additional information about the vulnerability, update priority, and detection guidance for defenders. Microsoft recommends customers apply this update to their domain controllers as quickly as possible.

• CVE-2014-6324
• Kerberos
• MS14-068
• PAC
• TGT

Out-of-band release for Security Bulletin MS14-068

Tuesday, November 18, 2014

On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows. We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin. More information about this bulletin can be found at Microsoft’s Bulletin Summary page.

• OOB
• Security Bulletin
• Windows

Assessing Risk for the November 2014 Security Updates

Tuesday, November 11, 2014

Today we released fourteen security bulletins addressing 33 unique CVE’s. Four bulletins have a maximum severity rating of Critical, eight have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. This table is designed to help you prioritize the deployment of updates appropriately for your environment.

MS14-072: .NET Remoting Elevation of Privilege Vulnerability

Tuesday, November 11, 2014

Today Microsoft shipped MS14-072 to the .NET Framework to address an Elevation of Privilege (EOP) vulnerability in the .NET Remoting feature. This update fixes a specific issue in .NET Remoting that permitted specially crafted remote endpoints to take advantage of this vulnerability. What is .NET Remoting? .NET Remoting is a layer within the .

November 2014 Updates

Tuesday, November 11, 2014

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

• .NET Framework
• IIS
• Internet Explorer (IE)
• Microsoft Exchange
• Microsoft Office
• Microsoft Windows
• Security Advisory
• Security Bulletins
• SharePoint
• Windows

EMET 5.1 is available

Monday, November 10, 2014

Today, we’re releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.1 which will continue to improve your security posture by providing increased application compatibility and hardened mitigations. You can download EMET 5.1 from microsoft.com/emet or directly from here. Following is the list of the main changes and improvements: Several application compatibility issues with Internet Explorer, Adobe Reader, Adobe Flash, and Mozilla Firefox and some of the EMET mitigations have been solved.

• EMET

Advance Notification Service for the November 2014 Security Bulletin Release

Thursday, November 06, 2014

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

• .NET Framework
• ANS
• IIS
• Internet Explorer (IE)
• Microsoft Exchange
• Microsoft Office
• Microsoft Windows