Today we released nine security bulletins addressing 37 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other seven have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-051(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 0 | Exploitation of CVE-2014-2817 detected in the wild. Used as a sandbox escape. | |
| MS14-043(Media Center) | On Media Center-equipped workstations (Win8.x Pro and all Win7 except Starter and Home Basic), victim opens malicious Office document or browses to malicious webpage that instantiates Media Center ActiveX control. | Critical | 2 | Less likely to see reliable exploits developed within next 30 days. | Server SKUs not affected. Windows 8 and Windows 8 RT not affected. Win7 Starter and Home Basic not affected.Our repro is via Office document (Important class vector) not via ActiveX control but we believe the code is reachable via ActiveX. |
| MS14-048(OneNote) | Victim opens malicious OneNote file that creates a file in startup folder leading to arbitrary code execution on next login. | Important | 2 | Less likely to see reliable exploits developed within next 30 days. | OneNote 2010 and OneNote 2013 not affected. (Only OneNote 2007 affected.) |
| MS14-045(Kernel mode drivers [win32k.sys]) | Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. | Important | 2 | Less likely to see reliable exploits developed within next 30 days. | |
| MS14-049(Microsoft Installer) | Attacker already running code at low privilege on a system where an MSI source location is available to low privilege users can tamper with the MSI and initiate a Repair operation to potentially run code as LocalSystem. | Important | 2 | Less likely to see reliable exploits developed within next 30 days. | |
| MS14-044(SQL Server denial-of-service) | Attacker able to authenticate at user level to SQL Server can run a TSQL batch command that causes a stack overrun that causes the server to stop responding. | Important | 2 | Less likely to see reliable exploits developed within next 30 days. | |
| MS14-050(SharePoint) | Victim installs a malicious third party SharePoint app that could potentially run arbitrary JavaScript that is run as the victim user as a custom action. | Important | 2 | Less likely to see reliable exploits developed within next 30 days. | |
| MS14-046(.NET Framework 2.0 ASLR bypass) | Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system. | Important | 2 | Less likely to see reliable exploits developed within next 30 days. | This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR. This potential ASLR bypass is not known to be in use in real-world attacks. |
| MS14-047(LRPC ASLR bypass) | Attacker already running code on a machine can combine this vulnerability with a (separate) code execution vulnerability to compromise a system by connecting to locally-listening service and filling address space to more accurately predict future memory allocation. | Important | 3 | Unlikely to see reliable exploits developed within next 30 days. | This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR if attacker is already running code locally. |
- Jonathan Ness, MSRC