May 2014 - Microsoft Releases 8 Security Advisories
DESCRIPTION
Microsoft addresses the following vulnerabilities in its May batch of patches:
- (MS14-021) Security Update for Internet Explorer (2965111)
Risk Rating: Critical
This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer.
- (MS14-029) Security Update for Internet Explorer (2962482)
Risk Rating: Critical
This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
- (MS14-022) Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
Risk Rating: Critical
This security update resolves multiple privately reported vulnerabilities in Microsoft Office server and productivity software. The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
- (MS14-023) Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)
Risk Rating: Important
This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file.
- (MS14-025) Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)
Risk Rating: Important
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.
- (MS14-026) Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)
Risk Rating: Important
This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting.
- (MS14-027) Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)
Risk Rating: Important
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute.
- (MS14-028) Vulnerability in iSCSI Could Allow Denial of Service (2962485)
Risk Rating: Important
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network.
- (MS14-024) Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)
Risk Rating: Important
This security update resolves one privately reported vulnerability in an implementation of the MSCOMCTL common controls library. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.
TREND MICRO PROTECTION INFORMATION
Trend Micro Deep Security shields networks through the following Deep Packet Inspection (DPI) rules. Trend Micro customers using the Vulnerability Protection product or OfficeScan with Intrusion Defense Firewall (IDF) plugin are also protected from attacks using these vulnerabilities.
| MS Bulletin ID | Vulnerability ID | DPI Rule Number | DPI Rule Name | Release Date | Vulnerability and IDF Compatibility |
| MS14-022 | CVE-2014-1754 | 1000552 | Generic Cross Site Scripting(XSS) Prevention | 05-Jul-06 | NO |
| MS14-029 | CVE-2014-0310 | 1006034 | Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310) | 13-May-14 | YES |
| MS14-029 | CVE-2014-1815 | 1006056 | Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815) | 13-May-14 | YES |
SOLUTION
Featured Stories
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more
A Closer Exploration of Residential Proxies and CAPTCHA-Breaking ServicesThis article, the final part of a two-part series, focuses on the details of our technical findings and analyses of select residential proxies and CAPTCHA-solving services.Read more
How Residential Proxies and CAPTCHA-Solving Services Become Agents of AbuseThis article, the first of a two-part series, provides insights on how abusers and cybercriminals use residential proxies and CAPTCHA-solving services to enable bots, scrapers, and stuffers, and proposes security countermeasures for organizations.Read more