Patch Tuesday for July 2014 - 6 bulletins, 2 RCEs, 3 EoPs and get ready to reboot

Filed Under: Featured, Internet Explorer, Microsoft, Vulnerability, Windows

Here's what to expect from Microsoft in the July 2014 edition of Patch Tuesday, scheduled to ship on Tuesday 08 July 2014.

Things are fairly straightforward this month, with six bulletins, two of which are critical patches dealing with remote code execution holes.

Internet Explorer (IE) users take note that this month's IE fix, Bulletin One, covers all supported versions of IE from 6 to 11; patches against remote code execution; is rated Critical; and requires a reboot.

As usual, Server Core installs aren't affected by the Internet Explorer Bulletin, because Server Core can't run IE.

Bulletin Two patches Windows itself, and is also rated Critical because it deals with potential remote code execution.

Server Core isn't affected, which is yet another good advertisement for using Microsoft's stripped-down server flavour whenever you can.

When it comes to server security, less is almost always more, quite simply because the fewer drivers, libraries and programs you have installed, the lower the chance that any one of them will have a hole that might put your network at risk.

If you have a server dedicated to DHCP and DNS, for example, then it simply doesn't need to be able to run applications such as web browsers, document editors and PDF viewers.

And if it doesn't need that sort of software, then it doesn't need the extensive ecosystem of software components that are usually there to support user-facing programs.

All other Windows versions, client and server, get Bulletin Two updates, with the exception of what is now Microsoft's oldest supported platform, Windows Server 2003 SP2.

Having just talked up the security benefits of Server Core, note that the Server Core versions do get updates for the vulnerabilities covered by Bulletins Three and Four, which are rated Important and patch Elevation of Privilege (EoP) holes.

EoP holes are exactly what their name suggests: a way for users or programs with limited authority to grab more power than they are supposed to have.

Generally, though not always, EoPs allow regular users like you or me to turn themselves into administrators; as you can imagine, that can turn what might have been a troublesome cyberattack in a disastrous one.

In other words, even though EoPs usually attract a rating of Important rather then Critical (because an EoP generally can't be used by remote attackers unless they manage to break in first via some other hole), they're well worth patching with the same zeal that you apply to remote code execution holes.


(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Bulletin Five plugs a third EoP vulnerability that applies to many, but not all, Windows versions, and Bulletin Six is a potential Denial of Service bug in Microsoft's Server Bus product (don't worry, I hadn't heard of it either).

Server Bus
is a utility layer for programmers that allows you to use, in your own software, the inter-application messaging infrastructure that is part of Azure, Microsoft's cloud service.

So, that's what's in store this month: there will almost certainly be at least one patch for all supported Windows systems in your network, and you will almost certainly have to reboot the lot of them.

Enjoy...

, , , , , , ,

You might like

12 Responses to Patch Tuesday for July 2014 - 6 bulletins, 2 RCEs, 3 EoPs and get ready to reboot

  1. Is it safe to use IE?

    • With all the vulnerabilities, I say my answer is No. It seems to me that IE has been getting patches every month now. You can try other browsers, such as Firefox or Chrome.

      • Paul Ducklin · 109 days ago

        Firefox and Chrome get patches every month, too. Isn't that a *good* thing?

  2. Scott Batdorf · 109 days ago

    Re: Bulletin One, Will IE8 running on Windows XP get the update or will there be a way to manually apply the update to IE8?

    • Mike Merritt · 109 days ago

      You need to do the registry patch to make Windows XP pretend it is the POS version of XP - which is still getting updates.

    • Blake · 109 days ago

      Windows XP is not supported.

    • Anonymous · 109 days ago

      No there won't be anymore patches for XP. Be aware that Microsoft has dropped support for Windows XP April 8, which means NO PATCHES. To stay secure, upgrade to Windows 7 or Windows 8.

    • Unfortunately, there are no further patches for Windows XP, as support was dropped by Microsoft on April 8. My recommendation is to upgrade to Windows 7. Just don't upgrade to Windows 8 due to the horrible user interface and update problems which continue to plague Windows 8.

    • Paul Ducklin · 109 days ago

      If you're still using XP as your primary browsing platform, you're letting us all down a little bit - XP support (and with it support for MS applications on it) ended earlier this year after seven years of warning.

      The security baked into Windows from Vista and later is, simply put, better than that in XP, because the later versions of Windows were started in an era when security had become more of an issue.

      The "security update" for Windows XP is Windows 7 or 8.1.

  3. gregory flattery · 109 days ago

    I suggest Paul you use Spellchecker before posting !

    • Paul Ducklin · 109 days ago

      Thanks for, errr, pointing out the errors to make it easier to fix them :-)

      I found and fixed "paches" and "vulnerablities", and spotted a missing comma. (Well, obviously I *didn't* spot the missing comma because it was missing, but I spotted the place where it is now.)

      What have you got?

  4. Unfortunately, there's no further patches for Windows XP, as Microsoft has dropped support on April 8. There is a hack you can do through the Registry Editor, but I DON'T recommend it. It may not work, and may make you more vulnerable. I recommend upgrading to Windows 7, provided your computer meets the system requirements. Windows 8 is fine, however there have been a myriad of problems of people installing the update in order to obtain the patches for Windows 8. If you can, obtain a copy of Windows 7.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog