Security → Microsoft Security Bulletin Releases

Summary
=======

The following bulletins have undergone a major revision increment.

* MS14-080 - Critical

Bulletin Information:
=====================

MS14-080 - Critical

- Title: Cumulative Security Update for Internet Explorer
- »technet.microsoft.com/li ··· ms14-080
- Reason for Revision: V2.0 (January 13, 2015): To address issues
with Security Update 3008923, Microsoft re-released MS14-080 to
comprehensively address CVE-2014-6363. In addition to installing
update 3008923, customers running Internet Explorer 10 on Windows 8,
Windows Server 2012, or Window RT should also install update
3029449, which has been added with this rerelease. Customers who
have already successfully installed the 3008923 update, which has
not changed since its original release, do not need to reinstall
it. See Microsoft Knowledge Base Article 3008923 for more
information.
- Originally posted: December 9, 2014
- Updated: January 13, 2015
- Bulletin Severity Rating: Critical
- Version: 2.0

thanks nick..

here is some information from the revision-notes:

"Customers who have already successfully installed the 3008923 update, which has not changed since its original release, do not need to reinstall it (the 3008923 update)"..

"customers running Internet Explorer 10 on Windows 8, Windows Server 2012, or Window RT should also install update 3029449, which has been added with this re-release"..

And here's Woody Leonhard's take on the MS14-080 rerelease:

quote:

---

A new MS14-080/KB 3029449, which is an Internet Explorer cumulative rollup re-release of the old MS14-080/KB 3008923, which was one of the botched hangover patches from December. Note the change in KB number. In certain circumstances (described below) you may need to install both patches.

---

quote:

---

Here's what's happening with the re-released (but differently numbered) MS14-080 patch. Tighten your grip on those hip waders. This gets messy.

The original MS14-080/KB 3008923 IE rollup had all sorts of bugs. Microsoft issued a patch, KB 3025390, to fix the problems but it, in turn, caused even more problems (see the comments to my InfoWorld article). In addition, Microsoft discovered that the original KB 3008923 didn't fix a VBScript security hole, known as CVE-2014-6363. So this month, Microsoft issued an update to MS14-080 called KB 3029449 that specifically addresses the VBScript hole.

---

quote:

---

MS14-080 now includes these bafflegab instructions:

To address issues with Security Update 3008923, Microsoft re-released MS14-080 to comprehensively address CVE-2014-6363. In addition to installing update 3008923, customers running Internet Explorer 10 on Windows 8, Windows Server 2012, or Window RT should also install update 3029449, which has been added with this rerelease. Customers who have already successfully installed the 3008923 update, which has not changed since its original release, do not need to reinstall it. See Microsoft Knowledge Base Article 3008923 for more information.

It isn't at all clear if the new version of MS14-080 includes fixes for the problems introduced by the old MS14-080 and/or the problems introduced by KB 3025390, which was supposed to solve those original MS14-080 problems.

Got that?

The IE patch rollups have had so many problems this past year, it's no wonder Microsoft wants to toss IE into a formaldehyde jar and start anew with Spartan.

---

»www.infoworld.com/articl ··· sdr=true

"Baffling"...it's worse than that. I had no problems with the original Dec cumulative IE update on Windows 8.0 Pro. I don't need the one issued this month for those who had problems with the December update.

Where the heck am I supposed to get the VBScript patch? It's not available SEPARATELY! I'm not uninstalling a functioning Dec Cumulative IE update just so I can install a new version that also happens to have the VBScript patch that is needed.

Microsoft is really losing it. Why has MS not issued the VBScript patch as standalone for those of us who have had NO problems with the Dec cumulative update?

I haven't installed ANY of the patches for this month. I didn't even download to disk the Windows Kernel Mode Driver patch. I'm scared of it and Woody says I have good reason to be! The others, I have downloaded to disk but have not installed. Sort of strange, time was when I would hesitate on updating Flash and Java because there were always problems. Now I get those immediately. Its the Microsoft ones that make me quake but didn't back when Java and Flash made me nervous to update.

Wrong tense. Lost.Me either--yet. I only got around to reading the KB articles last night.

I have noticed that the patch list has changed at least once over the last few days. It went from 5 to 6 now back to 5.

I hadn't heard about Spartan but a quick web search showed it's existence was only revealed in late Dec 2014.

Microsoft May Soon Replace Internet Explorer With a New Web Browser

quote:

---

Microsoft's Windows 10 operating system will debut with an entirely new web browser code-named Spartan, according to a report citing anonymous sources.

---

Sounds to me that MS might be trying to ice the Win10 cake with Spartan to increase sales.

quote:

---

Where the heck am I supposed to get the VBScript patch? It's not available SEPARATELY! I'm not uninstalling a functioning Dec Cumulative IE update just so I can install a new version that also happens to have the VBScript patch that is needed.

---

To quote Woody:

said by Woody Leonhard, InfoWorld :

---

Microsoft discovered that the original KB 3008923 didn't fix a VBScript security hole, known as CVE-2014-6363. So this month, Microsoft issued an update to MS14-080 called KB 3029449 that specifically addresses the VBScript hole.

---

Since you successfully installed KB 3008923, you don't need to reinstall it. It hasn't changed since its original release. But if you want to get the VBScript patch, you should install KB 3029449, which is available here:

»www.microsoft.com/en-us/ ··· id=45478

You can read about it here:

MS14-080: Description of the security update for VBScript 5.8: January 13, 2015
»support.microsoft.com/kb ··· 49/en-us

I got the 'rerelease' notice exactly 22 minutes after I got the original 'release' notice.

Seriously, WTF is going on over there? I couldn't even make sense of the language in the re-release, which is just a mess of garbled English with about 50 commas thrown in for added confusion.

So in addition to not getting their code right in the first place, or the patches for their errors, or the corrections for the patches for their errors, now they struggle to write intelligible, grammatically correct complete sentences.

Thanks! Not sure how I missed it last night....but just now I accidentally downloaded the x86 version and was momentarily puzzled when the installer said the patch was not for my computer. On the second try I got the correct version and it installed successfully.

OT- but I have wondered for a long time why I always get that "if your download doesn't start in 30 seconds click here" message when I download from MS Download Center. I have 30/5 connection ...is it MS servers always being too busy or what?

I find that Spartan thing strange as IE 11 in Win 10 Preview is quite different already...no Trident engine for one thing. But this Spartan thing has Trident engine...it seems yet another example of Microsoft having no idea what it is doing.

Probably a case of separate and competing product development teams.

. o O ("May the best team win!")

Edge mode in IE 11, Win 10 Tech Preview uses the Spartan Trident engine and non-edge mode uses the normal Trident engine. Why do you think IE 11, Win 10 Tech Preview doesn't use Trident?

I either read or saw an interview (seen several) by Microsoft that they are not using Trident in IE 11 Edge Mode in Win 10 Preview and Trident will not be in the release version. Plus, IE 11 identifies as Chrome browser and doesn't show Trident in the string...soooo???

The ie11 Edge UA has changed a few times and will change again. MS has said they're doing it to see which makes the sites send a more standards compliant coded page and displays the best with their new browser engine. The Edge descriptor is supposed to be added to the UA sometime soon.

The UA you've posted for IE11 Edge mode recently had descriptions of 2 different browsers (Safari and Chrome), 2 rendering engines (WebKit and KHTML), and the wrong OS identifier (Windows 7). MS isn't really going to use the rendering engines from either of their longest competitors (Apple and Linux).

For MS to develop or include a non Trident engine in IE, then abandon it in the next browser release doesn't even make sense. For MS to include the next version of Trident as a limited default or optional mode in the current version of IE makes sense. Then developers will have experience with it when the next MS browser (Spartan) which uses that engine by default is released.

That was Proxo that uses Windows 7 as the identifier. With it bypassed I get Windows 8 instead.

I didn't think MS planned to use Apple's or Chrome's engines but simply that they were doing what you said. I had not read from them or anyone else that Trident was to be used in the future. As for Spartan that only came to the world's attention a couple of weeks ago and sounds so horrible that I can't believe they are going there.

Yes, Trident 7 is the current engine for IE 11. Trident "Edge 12" is the engine for IE 11 Edge mode and Spartan: »www.neowin.net/news/here ··· ndows-10