Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploitability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-017(Word) | Victim opens a malicious RTF or DOC/DOCX file. | Critical | 1 | Likely to continue to see RTF and DOC based exploits for CVE-2014-1761. | Addresses vulnerability described by Security Advisory 2953095, an issue under targeted attack. |
| MS14-018(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | |
| MS14-020(Publisher) | Victim opens malicious Publisher (.PUB) file. | Important | 1 | While we may see reliable exploits developed within the next 30 days, unlikely to see widespread exploitation due to limited deployment of Publisher. | |
| MS14-019(Windows File Handling) | Attacker places malicious .bat and/or .cmd file on a network share from which a victim launches an application that calls CreateProcess in an unsafe manner. Similar attack vector as DLL preloading. | Important | 1 | While this is an exploitable vulnerability, we have historically not seen widespread exploitation of this type of vulnerability. | More details about this vulnerability in this SRD blog post today. |
- Jonathan Ness, MSRC engineering team