Patch Tuesday for May 2014 – 8 bulletins, 2 critical, 0/zero/zilch/zip for XP


A quick note to remind you that tomorrow is Patch Tuesday, so here’s what to expect.

The scorecard is “2 from 8”, with eight security bulletins due, two of which are rated Critical.

Top of the list, literally and figuratively, is the usual Internet Explorer (IE) cumulative rollup, with all supported versions of IE getting patches.

On non-server platforms, Microsoft has rated Bulletin One, the IE patch, as critical from IE 6 to IE 11, for 32-bit and 64-bit versions, on Intel and ARM processors.

Unlike the zero-day patch that came out mid-month for CVE-2014-1776 (the attack that could be sidestepped by turning off IE’s vector graphics addin), Microsoft has not taken pity on XP users this time.

There are no patches for XP users, not for IE, and not for any other component of Windows, just like Microsoft announced some seven years ago.

Our advice for XP diehards, as always, is:

  1. Don’t run XP.
  2. If you have to run XP, use Application Control to prevent the computer being used for browsing or other interactive online work.
  3. If you have to browse from XP (and, let’s face it, you don’t), use a browser like Firefox or Chromium that is still being updated.
  4. GOTO 1.

There don’t seem to be any patches this month that are newsworthy or anticipated enough for Microsoft to announce precise details in advance.

That sometimes happens, as it did last month when a zero-day that exploited a vulnerability in opening RTF files was patched, and Microsoft’s Security Research Center gave out the details the week before Patch Tuesday.

This month, the Security Research guys have kept it simple, which usually means that all the patches are for privately disclosed vulnerabilities:

[The May 2014] updates will address vulnerabilities for .NET Framework, Office, Internet Explorer, and Windows.

As you might expect, the .NET framework patch applies to almost all supported operating systems, server and desktop alike.

Intriguingly, the only platform unaffected is Windows Server 2008; the R2 flavour of Server 2008 will require the patch.

Note that this patch applies to Server Core as well as to full-blown server installs.

The .NET patch, Bulletin Five, deals with an elevation of privilege (EoP) flaw; because EoPs don’t get you into a vulnerable computer in the first place, they usually attract a severity level of Important, as in this case.

But, as we explain in our popular Techknow podcast on vulnerabilities, an EoP can often be used by an attacker to turn a user-level remote code execution hole into a full system-level compromise.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

The Office versions getting patches are: 2007, 2010, 2013 and 2013 RT; Office for Mac users can relax this time.

And the server software components getting patches include: SharePoint, SharePoint Designer and Office WebApps in their 2010 and 2013 flavours.

Oh, and plan on rebooting: the IE patch requires it, and so does Bulletin Six, an EoP patch for Windows itself that applies everywhere, including Server Core.

Have a happy Tuesday!