Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 38 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
Affected Versions:-
Windows Media Center TV Pack for Windows Vista, all supported editions of Windows 7 except Starter and Home Basic editions, Windows Media Center when installed on Windows 8 Professional edition, and Windows Media Center when installed on Windows 8.1 Professional edition
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-043 Windows 7 for 32-bit Systems Service Pack 1
MS14-043 Windows 7 for x64-based Systems Service Pack 1
MS14-043 Windows 8 for 32-bit Systems (Professional edition only)(Windows Media Center)
MS14-043 Windows 8 for x64-based Systems (Professional edition only)(Windows Media Center)
MS14-043 Windows 8.1 for 32-bit Systems(Professional edition only)(Windows Media Center)
MS14-043 Windows 8.1 for x64-based Systems(Professional edition only)(Windows Media Center)
MS14-043 Windows Media Center TV Pack for Windows Vista (32-bit editions)
MS14-043 Windows Media Center TV Pack for Windows Vista (64-bit editions)
An XSS vulnerability exists in SQL Master Data Services (MDS) that could allow an attacker to inject a client-side script into the user's instance of Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user (CVE-2014-1820).
A denial of service vulnerability exists in SQL Server. An attacker who successfully exploited this vulnerability could cause the server to stop responding until a manual reboot is initiated.
This security update is rated Important for supported editions of Microsoft SQL Server 2008 Service Pack 3, Microsoft SQL Server 2008 R2 Service Pack 2, and Microsoft SQL Server 2012 Service Pack 1; it is also rated Important for Microsoft SQL Server 2014 for x64-based Systems.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-044 Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2
MS14-044 Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2
MS14-044 Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2
MS14-044 Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
MS14-044 Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3
MS14-044 Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
MS14-044 Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1
MS14-044 Microsoft SQL Server 2012 for x64-based Systems Service Pack 1
MS14-044 Microsoft SQL Server 2014 for x64-based Systems
The kernel is prone to the following vulnerabilities:
- An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles window handle thread-owned objects.
- An elevation of privilege vulnerability exists in the way that the affected component handles objects from specially crafted font files.
NOTE: Microsoft revised the bulletin to remove the Download Center links for Microsoft security update 2982791.
Microsoft recommends that customers uninstall patch KB2982791 due to known issues. A replacement KB2993651 patch is now available to mitigate the vulnerability .
Source: KB2993651 for further information.
This security update is rated Important for all supported releases of Microsoft Windows.
Affected Software:
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT and Windows RT 8.1
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-045 Windows 7 for 32-bit Systems Service Pack 1
MS14-045 Windows 7 for 32-bit Systems Service Pack 1
MS14-045 Windows 7 for x64-based Systems Service Pack 1
MS14-045 Windows 7 for x64-based Systems Service Pack 1
MS14-045 Windows 8 for 32-bit Systems
MS14-045 Windows 8 for 32-bit Systems
MS14-045 Windows 8 for x64-based Systems
MS14-045 Windows 8 for x64-based Systems
MS14-045 Windows 8.1 for 32-bit Systems
MS14-045 Windows 8.1 for 32-bit Systems
MS14-045 Windows 8.1 for x64-based Systems
MS14-045 Windows 8.1 for x64-based Systems
MS14-045 Windows Server 2003 Service Pack 2
MS14-045 Windows Server 2003 with SP2 for Itanium-based Systems
MS14-045 Windows Server 2003 x64 Edition Service Pack 2
MS14-045 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS14-045 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS14-045 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-045 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-045 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-045 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
MS14-045 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-045 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-045 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-045 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-045 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS14-045 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS14-045 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-045 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-045 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-045 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
MS14-045 Windows Server 2012
MS14-045 Windows Server 2012
MS14-045 Windows Server 2012
MS14-045 Windows Server 2012 (Server Core installation)
MS14-045 Windows Server 2012 R2
MS14-045 Windows Server 2012 R2
MS14-045 Windows Server 2012 R2
MS14-045 Windows Server 2012 R2
MS14-045 Windows Vista Service Pack 2
MS14-045 Windows Vista Service Pack 2
MS14-045 Windows Vista x64 Edition Service Pack 2
MS14-045 Windows Vista x64 Edition Service Pack 2
This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, and Microsoft .NET Framework 3.5.1 on affected releases of Microsoft Windows.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-046 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows 8 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8 for x64-based Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8 for x64-based Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8.1 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8.1 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8.1 for x64-based Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows 8.1 for x64-based Systems(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS14-046 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(Microsoft .NET Framework 3.5.1)
MS14-046 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(Microsoft .NET Framework 3.5.1)
MS14-046 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS14-046 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS14-046 Windows Server 2008 for Itanium-based Systems Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS14-046 Windows Server 2008 for Itanium-based Systems Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS14-046 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS14-046 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS14-046 Windows Server 2012(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012 (Server Core installation)(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012 (Server Core installation)(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012 R2(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012 R2(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012 R2 (Server Core installation)(Microsoft .NET Framework 3.5)
MS14-046 Windows Server 2012 R2 (Server Core installation)(Microsoft .NET Framework 3.5)
MS14-046 Windows Vista Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS14-046 Windows Vista Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS14-046 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS14-046 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
Microsoft Windows is exposed to a security vulnerability which is caused when RPC improperly frees messages that the server rejects as malformed, allowing an attacker to fill up the address space of a process.
This security update is rated Important for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1.
Note: Customers running Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 must first install the 2919355 update released in April, 2014 before this update.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-047 Windows 7 for 32-bit Systems Service Pack 1
MS14-047 Windows 7 for x64-based Systems Service Pack 1
MS14-047 Windows 8 for 32-bit Systems
MS14-047 Windows 8 for x64-based Systems
MS14-047 Windows 8.1 for 32-bit Systems
MS14-047 Windows 8.1 for x64-based Systems
MS14-047 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS14-047 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-047 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-047 Windows Server 2012
MS14-047 Windows Server 2012
MS14-047 Windows Server 2012 R2
MS14-047 Windows Server 2012 R2
Microsoft OneNote 2007 is prone to a remote code execution vulnerability because the application fails to properly handle specially crafted OneNote files.
Microsoft has released a security update that addresses the vulnerability by correcting the way that Microsoft OneNote parses specially crafted files.
This security update is rated Important for all supported editions of Microsoft OneNote 2007.
Workaround:
Do not open OneNote files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-048 Microsoft OneNote 2007 Service Pack 3
The security update addresses the vulnerability by correcting the way that the Windows Installer service handles installation and repair scenarios.
This security update is rated Important for all supported releases of Microsoft Windows.
Note: Customers running Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 must first install the 2919355 update released in April, 2014 before installing the 2918614 update.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-049 Windows 7 for 32-bit Systems Service Pack 1
MS14-049 Windows 7 for x64-based Systems Service Pack 1
MS14-049 Windows 8 for 32-bit Systems
MS14-049 Windows 8 for x64-based Systems
MS14-049 Windows 8.1 for 32-bit Systems
MS14-049 Windows 8.1 for x64-based Systems
MS14-049 Windows Server 2003 Service Pack 2
MS14-049 Windows Server 2003 with SP2 for Itanium-based Systems
MS14-049 Windows Server 2003 x64 Edition Service Pack 2
MS14-049 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS14-049 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-049 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-049 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-049 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-049 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS14-049 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-049 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-049 Windows Server 2012
MS14-049 Windows Server 2012
MS14-049 Windows Server 2012 R2
MS14-049 Windows Server 2012 R2
MS14-049 Windows Vista Service Pack 2
MS14-049 Windows Vista x64 Edition Service Pack 2
The vulnerability is caused when SharePoint Server does not properly handle a specially crafted app that uses the SharePoint extensibility model to execute arbitrary JavaScript on behalf of the user. Conditions exist where an app could bypass app permission management and run arbitrary code in the security context of the logged-on user.
Microsoft has released a security update that addresses the vulnerability by correcting how SharePoint Server sanitizes specially crafted applications (apps) that use custom actions.
The security update is rated Important for supported editions of Microsoft SharePoint Server 2013 and Microsoft SharePoint Foundation 2013.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-050 Microsoft SharePoint Server 2013(Microsoft SharePoint Foundation 2013)
MS14-050 Microsoft SharePoint Server 2013(Microsoft SharePoint Server 2013)
MS14-050 Microsoft SharePoint Server 2013 Service Pack 1(Microsoft SharePoint Foundation 2013 Service Pack 1)
MS14-050 Microsoft SharePoint Server 2013 Service Pack 1(Microsoft SharePoint Server 2013 Service Pack 1)
Multiple elevation of privilege vulnerabilities exist in Internet Explorer. These vulnerabilities are caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges.
Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory.
This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.
Workaround:
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-051 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 10)
MS14-051 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 11)
MS14-051 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 8)
MS14-051 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 9)
MS14-051 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 10)
MS14-051 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 11)
MS14-051 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 8)
MS14-051 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 9)
MS14-051 Windows 8 for 32-bit Systems(Internet Explorer 10)
MS14-051 Windows 8 for x64-based Systems(Internet Explorer 10)
MS14-051 Windows 8.1 for 32-bit Systems(Internet Explorer 11)
MS14-051 Windows 8.1 for x64-based Systems(Internet Explorer 11)
MS14-051 Windows Server 2003 Service Pack 2(Internet Explorer 6)
MS14-051 Windows Server 2003 Service Pack 2(Internet Explorer 7)
MS14-051 Windows Server 2003 Service Pack 2(Internet Explorer 8)
MS14-051 Windows Server 2003 with SP2 for Itanium-based Systems(Internet Explorer 6)
MS14-051 Windows Server 2003 with SP2 for Itanium-based Systems(Internet Explorer 7)
MS14-051 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 6)
MS14-051 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 7)
MS14-051 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 8)
MS14-051 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Internet Explorer 8)
MS14-051 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 10)
MS14-051 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 11)
MS14-051 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 8)
MS14-051 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 9)
MS14-051 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 7)
MS14-051 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 8)
MS14-051 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 9)
MS14-051 Windows Server 2008 for Itanium-based Systems Service Pack 2(Internet Explorer 7)
MS14-051 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 7)
MS14-051 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 8)
MS14-051 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 9)
MS14-051 Windows Server 2012(Internet Explorer 10)
MS14-051 Windows Server 2012 R2(Internet Explorer 11)
MS14-051 Windows Vista Service Pack 2(Internet Explorer 7)
MS14-051 Windows Vista Service Pack 2(Internet Explorer 8)
MS14-051 Windows Vista Service Pack 2(Internet Explorer 9)
MS14-051 Windows Vista x64 Edition Service Pack 2(Internet Explorer 7)
MS14-051 Windows Vista x64 Edition Service Pack 2(Internet Explorer 8)
MS14-051 Windows Vista x64 Edition Service Pack 2(Internet Explorer 9)
These new vulnerability checks are included in Qualys vulnerability signature 2.2.793-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Platforms and Platform Identification
For more information, customers may contact Qualys Technical Support.
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.