Patch Tuesday for July 2014 – 6 bulletins, 2 RCEs, 3 EoPs and get ready to reboot


Here’s what to expect from Microsoft in the July 2014 edition of Patch Tuesday, scheduled to ship on Tuesday 08 July 2014.

Things are fairly straightforward this month, with six bulletins, two of which are critical patches dealing with remote code execution holes.

Internet Explorer (IE) users take note that this month’s IE fix, Bulletin One, covers all supported versions of IE from 6 to 11; patches against remote code execution; is rated Critical; and requires a reboot.

As usual, Server Core installs aren’t affected by the Internet Explorer Bulletin, because Server Core can’t run IE.

Bulletin Two patches Windows itself, and is also rated Critical because it deals with potential remote code execution.

Server Core isn’t affected, which is yet another good advertisement for using Microsoft’s stripped-down server flavour whenever you can.

When it comes to server security, less is almost always more, quite simply because the fewer drivers, libraries and programs you have installed, the lower the chance that any one of them will have a hole that might put your network at risk.

If you have a server dedicated to DHCP and DNS, for example, then it simply doesn’t need to be able to run applications such as web browsers, document editors and PDF viewers.

And if it doesn’t need that sort of software, then it doesn’t need the extensive ecosystem of software components that are usually there to support user-facing programs.

All other Windows versions, client and server, get Bulletin Two updates, with the exception of what is now Microsoft’s oldest supported platform, Windows Server 2003 SP2.

Having just talked up the security benefits of Server Core, note that the Server Core versions do get updates for the vulnerabilities covered by Bulletins Three and Four, which are rated Important and patch Elevation of Privilege (EoP) holes.

EoP holes are exactly what their name suggests: a way for users or programs with limited authority to grab more power than they are supposed to have.

Generally, though not always, EoPs allow regular users like you or me to turn themselves into administrators; as you can imagine, that can turn what might have been a troublesome cyberattack in a disastrous one.

In other words, even though EoPs usually attract a rating of Important rather then Critical (because an EoP generally can’t be used by remote attackers unless they manage to break in first via some other hole), they’re well worth patching with the same zeal that you apply to remote code execution holes.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Bulletin Five plugs a third EoP vulnerability that applies to many, but not all, Windows versions, and Bulletin Six is a potential Denial of Service bug in Microsoft’s Server Bus product (don’t worry, I hadn’t heard of it either).

Server Bus
is a utility layer for programmers that allows you to use, in your own software, the inter-application messaging infrastructure that is part of Azure, Microsoft’s cloud service.

So, that’s what’s in store this month: there will almost certainly be at least one patch for all supported Windows systems in your network, and you will almost certainly have to reboot the lot of them.