Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0921 Cumulative Security Update for Internet Explorer (2969262) 10 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-2777 CVE-2014-2776 CVE-2014-2775 CVE-2014-2773 CVE-2014-2772 CVE-2014-2771 CVE-2014-2770 CVE-2014-2769 CVE-2014-2768 CVE-2014-2767 CVE-2014-2766 CVE-2014-2765 CVE-2014-2764 CVE-2014-2763 CVE-2014-2761 CVE-2014-2760 CVE-2014-2759 CVE-2014-2758 CVE-2014-2757 CVE-2014-2756 CVE-2014-2755 CVE-2014-2754 CVE-2014-2753 CVE-2014-1805 CVE-2014-1804 CVE-2014-1803 CVE-2014-1802 CVE-2014-1800 CVE-2014-1799 CVE-2014-1797 CVE-2014-1796 CVE-2014-1795 CVE-2014-1794 CVE-2014-1792 CVE-2014-1791 CVE-2014-1790 CVE-2014-1789 CVE-2014-1788 CVE-2014-1786 CVE-2014-1785 CVE-2014-1784 CVE-2014-1783 CVE-2014-1782 CVE-2014-1781 CVE-2014-1780 CVE-2014-1779 CVE-2014-1778 CVE-2014-1777 CVE-2014-1775 CVE-2014-1774 CVE-2014-1773 CVE-2014-1772 CVE-2014-1771 CVE-2014-1770 CVE-2014-1769 CVE-2014-1766 CVE-2014-1764 CVE-2014-1762 CVE-2014-0282 Original Bulletin: https://technet.microsoft.com/library/security/ms14-035 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS14-035 - Critical Cumulative Security Update for Internet Explorer (2969262) Published: June 10, 2014 Version: 1.0 General Information Executive Summary This security update resolves two publicly disclosed vulnerabilities and fifty-seven privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Important for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. Affected Software Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 Vulnerability Information TLS Server Certificate Renegotiation Vulnerability - CVE-2014-1771 An information disclosure vulnerability exists in the way that Internet Explorer handles negotiation of certificates in a TLS session. An attacker who successfully exploited this vulnerability could hijack a mutually authenticated TLS connection between Internet Explorer and an arbitrary target server. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, click the link in the following table: Vulnerability title CVE number TLS Server Certificate Renegotiation Vulnerability CVE-2014-1771 Internet Explorer Information Disclosure Vulnerability - CVE-2014-1777 An information disclosure vulnerability exists within Internet Explorer during validation of local file installation. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, click the link in the following table: Vulnerability title CVE number Internet Explorer Information Disclosure Vulnerability CVE-2014-1777 Multiple Elevation of Privilege Vulnerabilities in Internet Explorer Elevation of privilege vulnerabilities exist within Internet Explorer. An attacker who successfully exploited these vulnerabilities could elevate privileges in affected versions of Internet Explorer. These vulnerabilities by themselves do not allow arbitrary code to be run. However, these vulnerabilities could be used in conjunction with another vulnerability (e.g., a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code. To view these vulnerabilities as a standard entry in the Common Vulnerabilities and Exposures list, click the link in the following table: Vulnerability title CVE number Internet Explorer Elevation of Privilege Vulnerability CVE-2014-1764 Internet Explorer Elevation of Privilege Vulnerability CVE-2014-1778 Internet Explorer Elevation of Privilege Vulnerability CVE-2014-2777 Multiple Memory Corruption Vulnerabilities in Internet Explorer Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. To view these vulnerabilities as a standard entry in the Common Vulnerabilities and Exposures list, click the link in the following table: Vulnerability title CVE number Internet Explorer Memory Corruption Vulnerability CVE-2014-0282 Internet Explorer Memory Corruption Vulnerability CVE-2014-1762 Internet Explorer Memory Corruption Vulnerability CVE-2014-1769 Internet Explorer Memory Corruption Vulnerability CVE-2014-1770 Internet Explorer Memory Corruption Vulnerability CVE-2014-1772 Internet Explorer Memory Corruption Vulnerability CVE-2014-1773 Internet Explorer Memory Corruption Vulnerability CVE-2014-1774 Internet Explorer Memory Corruption Vulnerability CVE-2014-1775 Internet Explorer Memory Corruption Vulnerability CVE-2014-1766 Internet Explorer Memory Corruption Vulnerability CVE-2014-1779 Internet Explorer Memory Corruption Vulnerability CVE-2014-1780 Internet Explorer Memory Corruption Vulnerability CVE-2014-1781 Internet Explorer Memory Corruption Vulnerability CVE-2014-1782 Internet Explorer Memory Corruption Vulnerability CVE-2014-1783 Internet Explorer Memory Corruption Vulnerability CVE-2014-1784 Internet Explorer Memory Corruption Vulnerability CVE-2014-1785 Internet Explorer Memory Corruption Vulnerability CVE-2014-1786 Internet Explorer Memory Corruption Vulnerability CVE-2014-1788 Internet Explorer Memory Corruption Vulnerability CVE-2014-1789 Internet Explorer Memory Corruption Vulnerability CVE-2014-1790 Internet Explorer Memory Corruption Vulnerability CVE-2014-1791 Internet Explorer Memory Corruption Vulnerability CVE-2014-1792 Internet Explorer Memory Corruption Vulnerability CVE-2014-1794 Internet Explorer Memory Corruption Vulnerability CVE-2014-1795 Internet Explorer Memory Corruption Vulnerability CVE-2014-1796 Internet Explorer Memory Corruption Vulnerability CVE-2014-1797 Internet Explorer Memory Corruption Vulnerability CVE-2014-1799 Internet Explorer Memory Corruption Vulnerability CVE-2014-1800 Internet Explorer Memory Corruption Vulnerability CVE-2014-1802 Internet Explorer Memory Corruption Vulnerability CVE-2014-1803 Internet Explorer Memory Corruption Vulnerability CVE-2014-1804 Internet Explorer Memory Corruption Vulnerability CVE-2014-1805 Internet Explorer Memory Corruption Vulnerability CVE-2014-2753 Internet Explorer Memory Corruption Vulnerability CVE-2014-2754 Internet Explorer Memory Corruption Vulnerability CVE-2014-2755 Internet Explorer Memory Corruption Vulnerability CVE-2014-2756 Internet Explorer Memory Corruption Vulnerability CVE-2014-2757 Internet Explorer Memory Corruption Vulnerability CVE-2014-2758 Internet Explorer Memory Corruption Vulnerability CVE-2014-2759 Internet Explorer Memory Corruption Vulnerability CVE-2014-2760 Internet Explorer Memory Corruption Vulnerability CVE-2014-2761 Internet Explorer Memory Corruption Vulnerability CVE-2014-2763 Internet Explorer Memory Corruption Vulnerability CVE-2014-2764 Internet Explorer Memory Corruption Vulnerability CVE-2014-2765 Internet Explorer Memory Corruption Vulnerability CVE-2014-2766 Internet Explorer Memory Corruption Vulnerability CVE-2014-2767 Internet Explorer Memory Corruption Vulnerability CVE-2014-2768 Internet Explorer Memory Corruption Vulnerability CVE-2014-2769 Internet Explorer Memory Corruption Vulnerability CVE-2014-2770 Internet Explorer Memory Corruption Vulnerability CVE-2014-2771 Internet Explorer Memory Corruption Vulnerability CVE-2014-2772 Internet Explorer Memory Corruption Vulnerability CVE-2014-2773 Internet Explorer Memory Corruption Vulnerability CVE-2014-2775 Internet Explorer Memory Corruption Vulnerability CVE-2014-2776 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU5eNjRLndAQH1ShLAQLBbw//ayODBMl2zusG2MScFSBkt2qYFoEHptJx K3eOyo59ot5jfdOrKdl9vVU9hW4o6edt9KKnu0SGxFKKSDi4cvIasx3Xei98H6vC wNB89to4OA9p+Zrx/QW7H0H7/C2dXLeB7wVlhd1DSbemiyNgPOODJRX23by+Qk9A dZ0ohWbyGlT79Ve5Lvk9S1UV7I0TXUFMiFdOwDiSPf/C2TkDV6f78lR8vpuc/7t8 Df9loaTboebjRCTsFltMJMaMyRVqSifyKAFvQR5zlE0asd3ndk7cHGTqSBcNARWu lp6rOl5S68XWyh/t1PP06N3FrdOsO/a2tScqeCLGBFTascyq91wxuQDmbmOOgh0x kPUMGtmlCGnEOwrwmSAmT3UXzAvP1mGsBsS67pXHhoAhAZAxEyGTn3kqB6iWrQCS kNFlDF7BxvncVOcz6gRUVo/v/iP1d4wc1xz5GlxpCGO1Gh36B054peu3gcX1JmnC 1ulCVO7SYbN4VxCtLVdDAkZhk0+hyHTQm9rNzeB2Q8yNLSATcI1cytZhzUE3EkLU pQkAWOQ00FcO7qkERQsv1t3e2FPiEgJF1Na6LQ4tnwsVEktmpFfKCpcN91sgF6Vw P4MhOoAwOfBqiguS6gYxyiysGWJ09zIy55Lvm6Yh7x1i0Nkx/rjkYShFsnivQK9O Snc7Yx+MZ7s= =irjQ -----END PGP SIGNATURE-----