1 Software & Application
The following in Section 4.1 to 4.3 consists of the list of software, applications and operating systems
that make up the SOE Gold Disk and are included in the security patch cycle for SOE supported
production versions 3.00.0 and 4.10 respectively. Any software or applications that are not listed in
the above mentioned sections will not be included in this Security Patch Cycle.
1.1
XPSOE 4.00.0 Applications
Application Name
Microsoft Windows XP – Version 5.1.2600 (Build 2600. Service Pack3)
Microsoft Internet Explorer 128-bit version 7.0.5730.13C0
Microsoft Windows Messenger 4.7(4.7.3000)
Microsoft Media Player 6.4
Microsoft Media Player 11.0.5721.5145
Microsoft Office Access 2007 (12.0.6423.1000) MSO (12.0.6425.1000)
Microsoft Office Excel 2007 (12.0.6504.5001) MSO (12.0.6425.1000)
Microsoft Office InfoPath 2007 (12.0.6413.1000) MSO (12.0.6425.1000)
Microsoft Office One Note 2007 (12.0.6415.1000) MSO (12.0.6425.1000)
Microsoft Office Outlook 2007 (12.0.6423.1000) MSO (12.0.6425.1000)
Microsoft Office PowerPoint 2007 (12.0.6504.1000) MSO (12.0.6425.1000)
Microsoft Office Publisher 2007 (12.0.6423.1000) MSO (12.0.6425.1000)
Microsoft Office Word 2007 (12.0. 6504.5000) MSO (12.0.6425.1000)
Microsoft Office 2003 Web Components (12.0.4518.1014)
Microsoft Host Integration Server End-User Client 2000 SP2 5.1.2600.2180
Microsoft .NET Framework 1.1 SP1 (version 1.1.4322.2032)*
Microsoft .NET Framework 2.0 (version 2.0.50727.42)*
Microsoft .NET Framework 3.0 (version 3.2.30730)*
Microsoft .NET Framework 3.5 (version 3.5)*
Microsoft Silverlight 2.0
SMS 2003 Advanced Client SP3 version 2.50.4253.3000
MSXML 4.20.9818.0 Parser
1.2
XPSOE 5.00.0 Applications
Application Name
Microsoft Windows XP – Version 5.1.2600 (Build 2600. Service Pack3)
Microsoft Internet Explorer 128-bit version 8.0.6001
Microsoft Windows Messenger 4.7(4.7.3000)
Page 1 of 7
March 2014 Workstation Patches
Microsoft Media Player 11.0.5721.5280
Microsoft Office Access 2010 (14.0.4763.1000)
Microsoft Office Excel 2010 (14.0.4763.1000)
Microsoft Office InfoPath 2010 (14.0.4763.1000)
Microsoft Office One Note 2010 (14.0.4763.1000)
Microsoft Office Outlook 2010 (14.0.4763.1000)
Microsoft Office PowerPoint 2010 (14.0.4763.1000)
Microsoft Office Publisher 2010 (14.0.4763.1000)
Microsoft Office Word 2010 (14.0.4763.1000)
Microsoft Office 2003 Web Components for Office 2007 (12.0.6213.1000)
Microsoft Host Integration Server End-User Client 2009 8.0.3608.0
Microsoft .NET Framework 1.1 SP1 (version 1.1.4322.2032)*
Microsoft .NET Framework 2.0 (version 2.0.50727.42)*
Microsoft .NET Framework 3.0 (version 3.2.30730)*
Microsoft .NET Framework 3.5 (version 3.5)*
Microsoft .NET Framework 4.0 (version 4.0)*
Microsoft Silverlight 4.0.50917.0
SCCM Client 2007 R3 version 4.00.6487.2157
MSXML 3.0. SP10
MSXML 4.0 SP2
MSXML 6.0. SP2
*DotNet Framework is out of scope for Monthly Patching.
2 Proposed Patch Calendar
Windows XP Workstation Patch Deployment Dates for MARCH 2014
Page 2 of 7
March 2014 Workstation Patches
Date
Activity
12/03/2014 -Wed
Patch release by Microsoft
14/03/2014 - Fri
Patch Release to Test ET&A (CBAiTest01)
17/03/2014 – Mon
Patch testing by ET&A
20/03/2014 – Thu
Pilot to IT Ops workstations
21/03/2014 - Fri
Pilot Selected Production Admin Workstations (CBAiNet)
21/03/2014 - Fri
Test & Development domain deployment to Test (physical and virtual)
and DEV (physical)
24/03/2014 -Mon
Pilot Branch Workstations (deployment to 6 Branches)
24/03/2014 -Mon
Virtual desktop deployment in AUD01 *see schedule next below
28/03/2014 -Fri
Production Patch Release AU Group 1 Workstations
31/03/2014 - Mon
Production Patch Release AU Group 2 Workstations
01/04/2014 –Tue
Production Patch Release PBS Group 1 and Branch 2
Workstations
Production Patch Release to PBS Group 2 and Branch 1
Workstations
Patch Release to Global Markets and offshore domain
Workstations
02/04/2014 –Wed
05/04/2014 – Sat
2.1
VDI Advertisement for Patch Cycle
XP VDI Patch Cycle - To commence as specified
Collection Name
Domain
Schedule
AUT01 Virtual Desktops & Standard
Desktops
AUT01
Sat 22/03/2014 (use advertisement schedule)
Virtual Desktops - AUD01 - Ending 0-1
AUD01
24/03/2014 2am – 10am (no recurrence, one time only)
Virtual Desktops - AUD01 - Ending 2-3
AUD01
25/03/2014 2am – 10am (no recurrence, one time only)
Virtual Desktops - AUD01 - Ending 4-5
AUD01
26/03/2014 2am – 10am (no recurrence, one time only)
Virtual Desktops - AUD01 - Ending 6-7
AUD01
27/03/2014 2am – 10am (no recurrence, one time only)
Virtual Desktops - AUD01 - Ending 8-9
AUD01
28/03/2014 2am – 10am (no recurrence, one time only)
3 Security Bulletin Summary
3.1
Rated: Critical
3.1.1
MS14-012 Cumulative Security Update for Internet Explorer (2925418)
Page 3 of 7
March 2014 Workstation Patches
Description:
This security update resolves one publicly disclosed vulnerability and seventeen privately reported
vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user
views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited
these vulnerabilities could gain the same user rights as the current user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted than users who operate
with administrative user rights..
Impact:
Remote Code Execution
Affects:
Microsoft Internet Explorer 7 (2925418)
Microsoft Internet Explorer 8 (2925418)
Patches Replaced:
MS14-010 (KB2909921) for Internet Explorer 7
MS14-010 (KB2909921) for Internet Explorer 8
Reboot Required: Yes
3.1.2
MS14-013 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability
could allow remote code execution if a user opens a specially crafted image file. An attacker who
successfully exploited this vulnerability could gain the same user rights as the current user. Users
whose accounts are configured to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights.
Impact:
Remote Code Execution
Affects:
Microsoft Windows XP SP3 (KB2929961)
Patches Replaced:
MS13-056 (KB2845187)
Reboot Required: N/A
3.2
Rated: Important
3.2.1
MS14-015 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
(2930275)
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported
vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of
Page 4 of 7
March 2014 Workstation Patches
privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must
have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
Impact:
Elevation of Privilege
Affects:
Microsoft Windows XP SP3 (KB2930275)
Patches Replaced:
MS13-101 (KB2893984)
Reboot Required: Yes
3.2.2
MS14-014 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
(2930275)
Description:
This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability
could allow security feature bypass if an attacker hosts a website that contains specially crafted
Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the
website. In all cases, however, an attacker would have no way to force users to visit a website.
Instead, an attacker would have to convince users to visit a website, typically by getting them to click
a link in an email message or in an Instant Messenger message that takes them to the attacker's
website. It could also be possible to display specially crafted web content by using banner
advertisements or by using other methods to deliver web content to affected systems.
Impact:
Security Feature Bypass
Affects:
Microsoft Silverlight 5 (KB2930275)
Patches Replaced:
MS13-087 (KB2890788)
Reboot Required: Yes
4 Additional/Revised/Advisory Updates
5 Above Base Application Updates
5.1.1
Adobe Flash Player 12.0.0.77 (APSB14-08)
http://www.adobe.com/support/security/bulletins/apsb14-08.html
Page 5 of 7
March 2014 Workstation Patches
Description:
Adobe has released security updates for Adobe Flash Player 12.0.0.70 and earlier versions for Windows
and Macintosh and Adobe Flash Player 11.2.203.341 and earlier versions for Linux. These updates
address a critical vulnerability that could potentially allow an attacker to remotely take control of the
affected system.
Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends
users update their product installations to the latest versions:


Users of Adobe Flash Player 12.0.0.70 and earlier versions for Windows and Macintosh should
update to Adobe Flash Player 12.0.0.77.
Replaced: Adobe Flash Player 12.0.0.44
5.1.2
Apple QuickTime 7.7.5 (APSB14-08)
http://support.apple.com/kb/HT6151
Description:

An uninitialized pointer issue existed in the handling of track lists. This issue was addressed
through improved error checking.

A buffer overflow existed in the handling of H.264 encoded movie files. This issue was
addressed through improved bounds checking.

An out of bounds byte swapping issue existed in the handling of QuickTime image descriptions.
This issue was addressed through improved bounds checking.

A signedness issue existed in the handling of 'stsz' atoms. This issue was addressed through
improved bounds checking.

A buffer overflow existed in the handling of 'ftab' atoms. This issue was addressed through
improved bounds checking.

A memory corruption issue existed in the handling of 'dref' atoms. This issue was addressed
through improved bounds checking.

A buffer overflow existed in the handling of 'ldat' atoms. This issue was addressed through
improved bounds checking.

A buffer overflow existed in the handling of PSD images. This issue was addressed through
improved bounds checking.

An out of bounds byte swapping issue existed in the handling of 'ttfo' elements. This issue was
addressed through improved bounds checking.

A buffer overflow existed in the handling of 'clef' atoms. This issue was addressed through
improved bounds checking.
Replaced: Quicktime 7.7.4
Page 6 of 7
March 2014 Workstation Patches
5.1.3
Adobe Reader 11.0.06.R02
Description:
Revised package to turn of Certificate Import prompting upon 1st time launch.
Replaced: Adobe Reader 11.0.06.R01
6 Testing
Installation test for each Security Update is to be performed on below mentioned SOE versions listed in
the table. Results are shown below. Functionality test of all security update will not be performed. If
functionality test is required, normal patching procedures through UAT is required.
Microsoft Security Patch
Section 6.1 Rated: Critical
6.1.1 MS14-012 (KB2925418) on XPSOE 4.00.0
6.1.1 MS14-012 (KB2925418) on XPSOE 5.00.0
6.1.2 MS14-013 (KB2929961) on XPSOE 4.00.0
6.1.2 MS14-013 (KB2929961) on XPSOE 5.00.0
Section 6.1 Rated: Important
6.2.1 MS14-015 (KB2930275) on XPSOE 4.00.0
6.2.1 MS14-015 (KB2930275) on XPSOE 5.00.0
6.2.2 MS14-016 (KB2932677) on XPSOE 4.00.0
6.2.2 MS14-016 (KB2932677) on XPSOE 5.00.0
Section 7 Rated: Additional/Revised/Advisory Updates
Section 8 Rated: Above Base Application Updates
8.1.1 Adobe Flash Player 12.0.0.77 on XPSOE 4.00.0
8.1.1 Adobe Flash Player 12.0.0.77 on XPSOE 5.00.0
8.1.2 Apple QuickTime 7.7.5 on XPSOE 4.00.0
8.1.2 Apple QuickTime 7.7.5 on XPSOE 5.00.0
8.1.3 Adobe Reader 11.0.06.R02 on XPSOE 4.00.0
8.1.3 Adobe Reader 11.0.06.R02 on XPSOE 5.00.0
PASS/FAIL
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass
7 References
More detail on these patches can be located at www.microsoft.com/technet/security and searching for
the referenced MS or KB number.
Adobe information can be located at http://www.adobe.com/support/security/
Apple information can be located at https://ssl.apple.com/support/security/
Page 7 of 7
March 2014 Workstation Patches