The September 9th 2014 Security Updates

[Brink]

Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.

Below is a graphical overview of this release and a brief video summarizing the updates released today:




The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.

In addition to this month’s security bulletins, we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management was revised to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution was revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, which was provided when this advisory was originally released. If you have already installed this update, you do not need to take any action. Finally, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Source

 

[ThrashZone]

And so out of date activate x controls begins :/
See how it goes

 

[Seffrid]

The advice to wait a week before installing the monthly updates seems particularly appropriate this month!

What's Lync Server?

 

[Lady Fitzgerald]

I had 14 :shock: important updates and one optional update show up when I checked a minute ago. The optional one was for the infamous ruble symbol. I blocked that one since I'm paranoid and don't see myself ever needing it. Per my usual practice, I'm waiting 'til Saturday morning to run the remaining updates just in case something goes pear shaped (again).

 

[ThrashZone]

Good practice,
I jump in and everything is good 10 Important updates,
1 was for mse
1 was for office 2007 junk email filter

4 optional which I will indeed look at closer as always they are the trouble makers

 

[Ranger4]

I had 13 updates & all went well, one restart for the 112 mb of updates.

 

[trendy]

I had 15 updates all went well.
Can you shed some light on the ( Cumulative security update)
Ta.

 

[Lady Fitzgerald]

It seems like it was only a week or two ago when we received the August updates. We must be having fun because the time is flying by.

 

[Ranger4]

It seems like it was only a week or two ago when we received the August updates. We must be having fun because the time is flying by.

The older we get the faster it goes.

 

[Lady Fitzgerald]

It seems like it was only a week or two ago when we received the August updates. We must be having fun because the time is flying by.

The older we get the faster it goes.

You got that right!

 

[ThrashZone]

I did two of the optional ones
One for graphics programs and crashing attempting to use warp :/
The other was for windows explorer and previewing or moving video files which I have never had any issues with :/
Low memory sounds like a factory crapware fix to me ?

 

[trendy]

Ditto.

 

[Borg 386]

I had 14 :shock: important updates and one optional update show up when I checked a minute ago. The optional one was for the infamous ruble symbol. I blocked that one since I'm paranoid and don't see myself ever needing it. Per my usual practice, I'm waiting 'til Saturday morning to run the remaining updates just in case something goes pear shaped (again).

Yepperz, I usually wait a couple days & scan the forum/tech news to see if anything is causing problems. And before I do any updates I make a system image. As last month's updates proved, you can never have too many precautions.

I didn't see any sense in adding the Ruble update either.

 

[Stephanie]

I installed 12 updates .. no problems

 

[Lady Fitzgerald]

...And before I do any updates I make a system image...

I make a new system image every Friday so, by waiting until Saturday to update, I've essentially done the same as you.

 

[4wd]

2 laptops, all well, all updates offered installed (imaged c: to external first! :O)

 

[andrew129260]

Updates all installed, no issues. And I never messed with removing any updates or anything since the last mishap.

(Nothing happened to me, I was not affected.)