Internet Information Server (IIS) versions

Internet Information Server (IIS) versions

Version	Obtained from	Operating System
1.0	Included with Windows NT 3.51 SP 3 (or as a self-contained download).	Windows NT Server 3.51
2.0	Included with Windows NT Server 4.0.	Windows NT Server 4.0
3.0	Included with Windows NT Server 4.0 Service Pack 3 (Internet Information Server 2.0 is automatically upgraded to Internet Information Server 3.0 during the install of SP3).	Windows NT Server 4.0
4.0	Self-contained download from www.microsoft.com or the Windows NT Option Pack compact disc.	Windows NT Server 4.0 SP3 and Microsoft Internet Explorer 4.01
5.0	Built-in component of Windows 2000.	Windows 2000
5.1	Built-in component of Windows XP Professional.	Windows XP Professional
6.0	Built-in component of Windows Server 2003.	WIndows Server 2003
7.0	Built-in component of Windows Vista and Windows Server 2008.	Windows Vista and WIndows Server 2008
7.5	Built-in component of Windows 7 and Windows Server 2008 R2.	Windows 7 and Windows Server 2008 R2
8.0	Built-in component of Windows 8 and Windows Server 2012.	Windows 8 and Windows Server 2012

- Link


- wong chee tat :)

Technical Advisory for System Administrators on "WannaCry Ransomware"

Technical Advisory for System Administrators on "WannaCry Ransomware"

Published on Monday, 15 May 2017 21:56

Background
On 12th May 2017, there was a global wide-spread infection of a ransomware known as "WannaCry", aka. WanaCrypt0r. This ransomware exploits a known critical Microsoft Windows Server Message Block 1.0 (SMB) vulnerability (MS17-010), which allows remote code execution, providing a worm-like capability to propagate through a network by scanning for vulnerable systems and infecting them. It then encrypts files on the system, and extorts a bitcoin ransom in exchange for the decryption of files.

This advisory serves to provide system administrators with technical information to safeguard their networks against this cyber threat.

How to Minimise Risk of Being Infected by WannaCry Ransomware?
In addition to the common best IT security practices such as ensuring latest security patches, updating of AV signatures, non-privilege access to users, and end users’ education, below are additional specific measures to mitigate against the WannaCry Ransomware threat.

Do note that as there are many variants of WannaCry ransomware (and it is still evolving), no one method may be sufficient to ensure that you are fully protected.

Prevention of Spreading From Internal Network
Ensure all Microsoft computers are patched to MS17-010-Critical security patches.

If possible, disable Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocol. Where disabling is not possible, ensure that the RDP access control is secure (i.e. only restrict RDP from specific Out-Of-Band (OOB) network).

There are some variants of WannaCry which have a “kill-switch” feature. Hence it is not recommended to block the network Indicators of Compromise (IOC), because they will spread/infect if the network connection is block.
Prevention of Infection From External Network (i.e. Internet)
Ensure that the perimeter firewalls block unsolicited traffic (including port 445) from the Internet.

The following network IPS (for the respective products) are available for blocking at the perimeter. If you are not using any of the below products, please check with your vendor on the availability of IPS signatures relating to WannaCry.

SourceFire:
SID 42329 - MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response
SID 42330 – MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response
SID 42331 – MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command
SID 42332 – MALWARE-CNC Win.Trojan.Doublepulsar variant ping command
SID 42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt
SID 41978 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt

McAfee Intrushield:
Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)
Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)
Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)
NETBIOS-SS: MS17-010 EternalBlue SMB Remote Code Execution
NETBIOS-SS: SMB DoublePulsar Unimplemented Trans2 Session Setup Subcommand Request
Endpoints Protection
Apply application white-listing where available/possible. For example, Microsoft Windows OS (Windows 7 / 2008 and above) has AppLocker which allows application white-listing.
What Should You Do If You Are Hit by WannaCry Ransomware?
If you suspect that your computer is infected with WannaCry, you may want to do the following:
If possible, do not shutdown/reboot the affected computer.

Disconnect the computer from all network, including internet and internal network.

Unplug all USB connected devices from the affected computer.

If your backup devices (i.e. NAS, SAN, portable HDD) are connected to the same “affected network” as the computer, it is strongly advised that you quickly disconnect from the network (where possible).
Shift your attention to the other systems in the same network, which may have also been affected by the ransomware.
If you find more systems affected, similarly perform same steps in steps 1 to 3.

For all Windows Systems, quickly apply the critical security patch (MS17-010-Critical). Disable RDP and SMB services if possible. This will minimise chances of infection from further spreading within your network.
For the infected machines,
Perform memory acquisition of the running computer, which MAY allow forensics analyst to have a chance of recovering the files.

Re-image the machine with a full format and re-installation of the OS.
There are some online “tutorials” on how to manually remove the WannaCry ransomware. For example, by starting the machine in “safe” mode, manually deleting the malware, and restoring the original files from Windows’ “Restore previous versions” feature.

Whether these methods work or not will depend on the variant of the WannaCry, and windows OS version.

Finally restore information from backup.

- wong chee tat :)

WanaCrypt0r aka WannaCry: What You Need to Know and Actions to Take

WanaCrypt0r aka WannaCry: What You Need to Know and Actions to Take

Published on Sunday, 14 May 2017 18:19

Background
On 12th May 2017, there was a global wide-spread infection of a ransomware known as "WannaCry" aka. WanaCrypt0r. This ransomware has the capability to spread over the network by scanning for vulnerable systems, and infecting them. It then encrypts files on the system, and extorts a ransom payment in bitcoin for the decryption of files

Since the initial news of the infections, Singapore has seen a number of victims struck by the ransomware.

Why “WannaCry” Is Dangerous
What makes WannaCry dangerous is that the attackers are leveraging a Windows exploit code-named EternalBlue, which was reportedly leaked and dumped by the Shadow Brokers hacking group over a month ago. The exploit has the capability to penetrate into machines running unpatched version of Windows through 2008 R2 by exploiting flaws in Microsoft Windows SMB (Server Message Block) Server.

The WannaCry ransomware has since spread rapidly across the world, affecting thousands of systems in over 100 countries. Once a single computer in an organisation is infected with the WannaCry ransomware, the worm looks for other vulnerable computers within the network and infects them as well.

Recommendations
Prevention is always better than cure. For the WannaCry ransomware, this principle is strongly recommended.

Microsoft has released a patch for the SMB vulnerability (MS17-010) in March 2017. You should install this patch immediately if you have not done so.

Like all other ransomware infection, you should always be suspicious of unsolicited documents sent through email. Do not click on links inside these documents unless you have verified the source.

Always make backups of your important files and documents. This will save you when you have to restore your files and documents.

Do ensure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

What If I’m Infected?
Firstly, don’t panic. Although there is currently no known way to recover files encrypted by “WannaCry”, you should follow these steps:

Disconnect your computer from the network. This can be done by removing your network cable or shutting down the wireless function on your computer. By doing so you are preventing the spread of the WannaCry ransomware.

Start rebuilding your affected computer. This can be done by performing a clean installation of your Windows operating system.

After you have rebuilt the infected computer, patch it with the recommended patch and restore your system from any backup you have made.

If you need further assistance, you can contact SingCERT for advice.

References
Massive ransomware attack hits 99 countries http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/index.html
SingCERT Advisory on Ransomware dated 6 May 2016 https://www.csa.gov.sg/singcert/news/advisories-alerts/ransomware
Microsoft Security Bulletin (MS17-010-Critical) dated 14 March 2017 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
WannaCry Ransomware That's Hitting World Right Now Uses NSA Windows Exploit dated 12 May 2017  http://thehackernews.com/2017/05/wannacry-ransomware-unlock.html


- wong chee tat :)

WannaCry ransomware: Singapore's critical infrastructure unaffected, says CSA

WannaCry ransomware: Singapore's critical infrastructure unaffected, says CSA

Screen of a computer hit by WannaCry ransomware. (Photo: Twitter/@LawrenceDunhill)
15 May 2017 08:09PM
(Updated: 15 May 2017 09:05PM)

SINGAPORE: Singapore's critical information infrastructure (CII) remained unaffected by the global hacking attacks that affected governments and large organisations elsewhere, the Cyber Security Agency of Singapore (CSA) said on Monday (May 15).

Known as WannaCry, the ransomware exploits known vulnerabilities in old Microsoft operating systems. Cyber security experts cautioned that more machines could be affected by the virus as people around the world returned to work at the start of a new week.

"As of this afternoon, no critical information infrastructure has been affected," said Dan Yock Hau, director of Singapore's National Cyber Incident Response Centre, which is a unit of the CSA.

Mr Dan added that the unit would continue to track the situation closely and that it was working with the CII sectors to monitor their state of readiness.

"We are also tracking other sources of intelligence and have reached out to offer assistance to those (cases) that were brought to our attention," he said.

Electronic signboards in malls like Tiong Bahru Plaza and White Sands and as well as a Desigual outlet at Orchard Central have been hit. Jerry Tng of cyber security firm Ivanti, noted that the signboards likely ran on systems that had not been updated with the latest security patches.

A ransomware message encountered by a Facebook user on a directory screen at Tiong Bahru Plaza on Saturday (May 13).

"There are many unpatched signages and point-of-sales (terminals) running embedded Windows OS," Mr Tng said, referring to a version of the Microsoft operating system that is designed for use in embedded systems.

Cyber security researchers elsewhere have likewise drawn attention to the difficulty of patching such devices, which could include medical devices such as those used by hospitals in Britain that were affected by last Friday's cyber attack.

"CSA’s National Cyber Security Monitoring Centre also monitors the developing global situation and track the technical indicators to assess the potential implication to Singapore so that we are able to work on the necessary responses and measures to take," Mr Dan said on Monday.

​CSA chief executive David Koh said: "This is an issue of national importance and we will take all the necessary measures to counter the spread of the ransomware and help businesses and members of the public prevent or recover from it as quickly as possible."

In a separate media release, CSA said that internet service providers Singtel and Starhub had set up helplines for their customers. Singtel customers can call 1688 and its SME customers can call 1606. StarHub's SME customers can call 1800 888-8888, which operates from 9am to 6pm on Mondays to Fridays. Its residential customers can call its 24-hour hotline at 1633.

Businesses and members of the public can also refer to SingCERT’s advisory on WannaCry or seek help from SingCERT by contacting singcert@csa.gov.sg or 6323 5052.

Source: CNA/dt



- wong chee tat :)

Microsoft Patch Tuesday for Sep 2016

Patch Tuesday link



- wong chee tat :)

Microsoft Security Bulletins

Microsoft Security Bulletins

Link


- wong chee tat :)

Patch Tuesday - July 2016

Webpages, Word files, print servers menacing Windows PCs, and disk encryption bypasses – yup, it's Patch Tuesday

Plus: 52 security bugs fixed in Adobe Flash

19

36

12 Jul 2016 at 20:53, Shaun Nichols

Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.
Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.
Get patching now before miscreants develop and distribute code exploiting the programming blunders. As far as we can tell, none of the bugs below are being exploited in the wild right now.

• MS16-084 is a cumulative fix for Internet Explorer that addresses 15 CVE-listed vulnerabilities, including five memory corruption bugs and four scripting engine memory corruption bugs that can be exploited to execute code remotely on vulnerable machines. In other words, opening up a booby-trapped website that exploits these flaws could lead to malware infecting your PC.
  "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," said Microsoft.
• MS16-085 is also a cumulative browser fix, this time for the new Edge browser. Among the 13 CVE-listed holes in Edge are five remote code execution flaws in the Chakra JavaScript engine. Also patched are three information disclosure flaws, three spoofing vulnerabilities, and two other memory corruption flaws. Again, a malicious webpage could use these security holes to infect PCs with software nasties.
• MS16-088 patches seven memory corruption vulnerabilities in Office. The flaws could allow remote code execution if opened as local documents or information disclosure if targeted at SharePoint or Office Web Apps server. Office for Mac users will receive an update as well. Basically, malicious software can be smuggled in Office documents and will infect computers when opened.
• MS16-094 remedies a security bypass flaw in Windows Secure Boot. An attacker with admin or physical access – such as a thief or someone who has seized your PC – can exploit the vulnerability to install a policy that bypasses BitLocker and disk encryption.
  "A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy," Microsoft explained.
  "An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device. In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features.
  "To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy. The security update addresses the vulnerability by blacklisting affected policies."
• MS16-093 is Microsoft's distribution of this month's Adobe Flash Player security fixes. In all, 24 CVE-listed flaws are addressed, including remote code execution vulnerabilities. Users running Windows 8.1 and later and Server 2012 will get this update automatically. Older versions will need to get the update from Adobe (more details below).
• MS16-086 covers a single remote code execution flaw in the JScript and VBScript engines for Windows Vista and Server 2008. Later versions are not affected. "The vulnerability could allow remote code execution if a user visits a specially crafted website," admitted Microsoft.
• MS16-090 addresses six elevation of privilege vulnerabilities in all supported versions of Windows and Windows Server. An attacker can run a specially crafted application that exploits the kernel-level flaws to increase their user permissions and take over the system.
• MS16-087 is an update for flaws in the print spooler component of Windows: a man-in-the-middle attacker on a network can execute code on a remote vulnerable machine, or elevate their privileges if already running code on a system. Essentially, a rogue printer server on a network can inject malware into connected PCs. All supported versions of Windows and Windows Server are vulnerable.
• "A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers," Microsoft confessed. "An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system.
• "An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application."
• MS16-089 fixes a single information disclosure flaw triggered when the Windows 10 kernel improperly handles objects in memory.
• MS16-091 is a patch for an information disclosure flaw in the .NET Framework triggered by running an XML file on a web application. The bug is found in all supported versions of Windows and Windows Server.
• MS16-092 addresses two flaws in the Windows kernel, one that discloses information about the kernel and another bypassing security access checks. All supported versions of Windows and Windows Server should be updated.

Meanwhile, Adobe is applying a few more strips of duct tape to holes in the internet's screen door with the July Flash Player update.
Windows, OS X, Linux, and ChromeOS users should check to make sure they have the latest version of the software.
In total, this month's patch remedies 52 CVE-listed vulnerabilities. If targeted, 49 of those would allow remote code execution, while the other three would allow information disclosure and memory leaks.
Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ®

- wong chee tat :)

Microsoft Security Advisory 2962393

Microsoft Security Advisory 2962393

Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client
Published: May 5, 2014 | Updated: June 9, 2015
Version: 2.0

Microsoft is announcing the availability of an update for the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and Windows RT 8.1. The update addresses a vulnerability in the Juniper VPN client by updating the affected Juniper VPN client libraries contained in affected versions of Microsoft Windows.

Juniper VPN Client Update

Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

On June 9, 2015, Microsoft released an update (3062760) for the Juniper Networks Windows In-Box Junos Pulse VPN client. The update addresses the vulnerability described in Juniper Security Advisory JSA29833. Customers who are not using a Juniper VPN solution are not vulnerable; however, Microsoft recommends applying the update on an all affected operating systems since the affected component is present in-box. For more information about this update, including download links, see Microsoft Knowledge Base Article 3062760.

Note Updates for Windows RT 8.1, Windows Technical Preview, and Windows Server Technical Preview are available via Windows Update.

Affected Software

This advisory discusses the following software.
Operating System
Component
Windows 8.1 for 32-bit Systems
Juniper Networks Windows In-Box Junos Pulse Client
Windows 8.1 for x64-based Systems
Juniper Networks Windows In-Box Junos Pulse Client
Windows RT 8.1
Juniper Networks Windows In-Box Junos Pulse Client

Non-Affected Software
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows Server 2012
Windows RT
Windows Server 2012 R2
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

Frequently Asked Questions

What is the scope of the advisory?
The purpose of this advisory is to announce the availability of an update for Juniper Networks Windows In-Box Junos Pulse VPN client for Windows 8.1 and Windows RT 8.1.

What is Juniper Networks Windows In-Box Junos Pulse Client?
Juniper Networks Windows In-Box Junos Pulse Client is a third-party VPN product that is shipped in-box as part of the Windows operating system. Windows In-Box Pulse Client appears as a VPN Provider network option within Windows 8.1 and later endpoints, including Windows RT 8.1 endpoints. It allows the user to establish a Layer 3 VPN connection to Junos Pulse Secure Access Service and to create, manage, and remove Pulse VPN connections on the Windows endpoint through Windows PowerShell scripts. The user can also create connections manually on the endpoint. Windows In-Box Junos Pulse Client provides a subset of the features that are available through the Junos Pulse for Windows client.

What is VPN?
Virtual private networks (VPNs) are point-to-point connections over a private or public intermediate network, such as the Internet, allowing users to remotely access private networks that otherwise would not be accessible from the Internet, or administrators to connect remote sites together.  For more information about VPN technologies as well as how to configure them on Windows, please see What Is VPN?.

What does the update do?
The update addresses the vulnerability by updating the Juniper Networks VPN client libraries contained in Windows 8.1 and Windows RT 8.1.

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

To successfully exploit the vulnerability, an attacker would have to host a specially crafted VPN server and then convince users to connect to that server directly (or by way of a redirect to the specially crafted VPN server). In all cases, an attacker would have no way to force users to connect to the specially crafted VPN server.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.
Previous Updates

On May 5, 2014, Microsoft released an update for the Juniper Networks Windows In-Box Junos Pulse VPN client. The update addresses the vulnerability described in Juniper Security Advisory JSA10623. For more information about this update, including download links, see Microsoft Knowledge Base Article 2962393. Note Updates for Windows RT 8.1 are available via Windows Update.

Other Information

Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback
You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

Support

Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.

Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions
V1.0 (May 5, 2014): Advisory published.
V2.0 (June 9, 2015): Added the 3062760 update to the Juniper VPN Client Update section.

Page generated 2015-06-03 14:02Z-07:00.


- wong chee tat :)

word problem

A MS Office 2010 user encountered this problem with MS Word 2010:  Whenever using spell check function, MS Word will simply hang and becomes unresponsive. To end it, you have to kill the process from the task manager. It happens to any word document.

Check for the following:

- Launch winword /safe from run or from cmd and check.
- Check for any addins or plugins and disable it and check.

This should resolve the problem.

- wong chee tat :)

Update Tuesday Overview: July 2014

- wong chee tat :)

June 2014 Security Bulletin Webcast

- wong chee tat :)

May 2014 Security Bulletin Webcast

- wong chee tat :)

Microsoft Security Bulletin Summary for March 2014

Microsoft Security Bulletin Summary for March 2014

Published: Tuesday, March 11, 2014

Version: 1.0

This bulletin summary lists security bulletins released for March 2014.

With the release of the security bulletins for March 2014, this bulletin summary replaces the bulletin advance notification originally issued March 6, 2014. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft is hosting a webcast to address customer questions on these bulletins on March 12, 2014, at 11:00 AM Pacific Time (US & Canada). Register now for the March Security Bulletin Webcast.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Bulletin Information

Executive Summaries

The following table summarizes the security bulletins for this month in order of severity.

For details on affected software, see the next section, Affected Software.

Bulletin ID	Bulletin Title and Executive Summary	Maximum Severity Rating and Vulnerability Impact	Restart Requirement	Affected Software
MS14-012	Cumulative Security Update for Internet Explorer (2925418) This security update resolves one publicly disclosed vulnerability and seventeen privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.	Critical Remote Code Execution	Requires restart	Microsoft Windows, Internet Explorer
MS14-013	Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)  This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted image file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.	Critical Remote Code Execution	May require restart	Microsoft Windows
MS14-015	Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275) This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.	Important Elevation of Privilege	Requires restart	Microsoft Windows
MS14-016	Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418) This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.	Important Security Feature Bypass	Requires restart	Microsoft Windows
MS14-014	Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677) This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow security feature bypass if an attacker hosts a website that contains specially crafted Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the website. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.	Important Security Feature Bypass	Does not require restart	Microsoft Silverlight

Top of section

Exploitability Index

Affected Software

Detection and Deployment Tools and Guidance

Other Information

Microsoft Windows Malicious Software Removal Tool

For the bulletin release that occurs on the second Tuesday of each month, Microsoft has released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. No updated version of the Microsoft Windows Malicious Software Removal Tool is available for out-of-band security bulletin releases.

Top of section

Non-Security Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft Update, please see:

• Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content. Includes all Windows content.
• Updates from Past Months for Windows Server Update Services. Displays all new, revised, and rereleased updates for Microsoft products other than Microsoft Windows.

Top of section

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners listed in Microsoft Active Protections Program (MAPP) Partners.

Top of section

Security Strategies and Community

Update Management Strategies

Security Guidance for Update Management provides additional information about Microsoft’s best-practice recommendations for applying security updates.

Obtaining Other Security Updates

Updates for other security issues are available from the following locations:

• Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for "security update".
• Updates for consumer platforms are available from Microsoft Update.
• You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, seeMicrosoft Knowledge Base Article 913086.

IT Pro Security Community

Learn to improve security and optimize your IT infrastructure, and participate with other IT Pros on security topics in IT Pro Security Community.

Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

MS14-012

• lokihardt@ASRT, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0297)
• Amol Naik, working with VeriSign iDefense Labs, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0297)
• lokihardt@ASRT, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0298)
• Jose A. Vazquez of Yenteasy - Security Research, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0299)
• Bo Qu of Palo Alto Networks for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0302)
• Bo Qu of Palo Alto Networks for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0303)
• Hui Gao of Palo Alto Networks for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0304)
• Tianfang Guo of Palo Alto Networks for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0305)
• Jason Kratzer, working with VeriSign iDefense Labs, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0306)
• Jason Kratzer, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0307)
• lokihardt@ASRT, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0308)
• Amol Naik, working with VeriSign iDefense Labs, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0309)
• Scott Bell of Security-Assessment.com for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0311)
• Yujie Wen of Qihoo for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0311)
• Simon Zuckerbraun, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0312)
• Omair, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0313)
• Bo Qu of Palo Alto Networks for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0314)
• Zhibin Hu of Qihoo for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0314)
• Anil Aphale for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0314)
• Bo Qu of Palo Alto Networks for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0321)
• Yujie Wen of Qihoo for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0321)
• FireEye, Inc. for working with us on the Internet Explorer Memory Corruption Vulnerability (CVE-2014-0322)

For MS14-013

• An anonymous researcher, working with VeriSign iDefense Labs, for reporting the DirectShow Memory Corruption Vulnerability (CVE-2014-0301)

For MS14-014

• NSFOCUS Information Technology Co., Ltd. for reporting the Silverlight DEP/ASLR Bypass Vulnerability (CVE-2014-0319)

For MS14-015

• Alexander Chizhov for working with us on the Win32k Information Disclosure Vulnerability (CVE-2014-0323)

For MS14-016

• Andrew Bartlett of the Samba Team and Catalyst IT for reporting the SAMR Security Feature Bypass Vulnerability (CVE-2014-0317)

Top of section

Support

• The affected software listed has been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

Top of section

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Top of section

Revisions

• V1.0 (March 11, 2014): Bulletin Summary published.

Top of section

Top of page

- wong chee tat :)