Today we released five security bulletins addressing 23 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-012(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Addresses vulnerability described by Security Advisory 2934088, an issue under targeted attack. |
| MS14-013(DirectShow) | Victim browses to a malicious webpage. | Critical | 3 | Unlikely to see reliable exploits developed within next 30 days. | Addresses single double-free issue in qedit.dll, reachable via a malicious webpage. |
| MS14-014(Silverlight) | Attacker combines this vulnerability with a (separate) code execution vulnerability to execute arbitrary code in the browser security context. | Important | n/a | No chance for direct code execution with this vulnerability. | This vulnerability does not result in code execution directly. However, it is a component attackers could use to bypass ASLR. |
| MS14-015(Kernel mode drivers) | Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. | Important | 1 | Likely to see reliable exploits developed within next 30 days. | |
| MS14-016(Security Account Manager) | Attacker able to make API calls to security account manager password API able to brute-force password guessing attempts without triggering account lockout policy. | Important | n/a | No chance for direct code execution with this vulnerability. | Attacker must authenticate before calling the affected API. After authenticating, the attacker can choose to guess either their own or other user’s password without risk of lockout. |
- Jonathan Ness, MSRC engineering team