Today we released seven security bulletins addressing 31 unique CVE’s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-010(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Addresses both memory corruption vulnerabilities and elevation of privilege vulnerabilities in a single package. |
| MS14-011(VBScript) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | The single CVE addressed by this bulletin is included in MS14-010 for IE9 users. Customers with IE9 installed need not deploy MS14-011. |
| MS14-007(DirectWrite) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Internet Explorer is vector to this vulnerability in DirectWrite. |
| MS14-005(MSXML) | Victim browses to a malicious website to be exposed to this information leak vulnerability. | Important | 3 | Vulnerability first seen as ASLR bypass mechanism in targeted attacks during November 2013. May see attacks again begin using this again as details emerge. | As discussed in the SRDand FireEyeblogs during November 2013, this vulnerability was used along with another vulnerability in active attacks. The MS13-090 security update completely blocked all attacks described by those blog posts. |
| MS14-009(.NET Framework) | Most likely to be exploited vulnerability involves attacker initiating but not completing POST requests to ASP.NET web application, resulting in resource exhaustion denial of service. | Important | 1 | Resource exhaustion attacks involving CVE-2014-0253 already in progress in the wild. | CVE-2014-0253 addresses resource exhaustion “Slowloris” attack.CVE-2014-0257 addresses sandbox escape vulnerability invoving com objects running code out-of-process.CVE-2014-0295 addresses the vsab7rt.dll ASLR bypass described athttp://www.greyhathacker.net/?p=585. |
| MS14-008(Forefront Protection for Exchange) | Code is unlikely to be reachable. However, if attackers do find a way, it would involve a malicious email message being processed by the Forefront Protection for Exchange service. | Critical | 2 | Unlikely to see exploits developed targeting this vulnerability. | While this vulnerability’s attack vector appears attractive (email), the vulnerability is unlikely to be reachable. It was discovered internally by code analysis and we have not been successful in developing a real-world vulnerability trigger. We address it via security update out of an abundance of caution. |
| MS14-006(IPv6) | Attacker on the same subnet as victim (IPv6 link-local) sends large number of malicious router advertisements resulting in victim system bugcheck. | Important | 3 | Denial of service only. | This bugcheck is triggered by a watchdog timer on the system, not due to memory corruption. Affects Windows RT, Windows Server 2012 (not R2), and Windows 8 (not 8.1). |
- Jonathan Ness, MSRC