Today we released four security bulletins addressing 42 unique CVE’s. One bulletin has a maximum severity rating of Critical and the other three have maximum severity Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploitability Index Rating | Platform mitigations and key notes |
|---|---|---|---|---|
| MS14-052(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 0Exploitation of CVE-2013-7331 detected in the wild as an information disclosure to determine whether EMET or a third party anti-malware product is installed prior to launching exploit for different vulnerability. | No remote code execution vulnerabilities being addressed in this update are known to be under active attack. |
| MS14-054(Task Scheduler) | Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. | Important | 1 | |
| MS14-053(.NET Framework) | Attacker causes compute resource exhaustion denial of service on ASP.NET webserver by sending maliciously crafted HTTP/HTTPS requests. | Important | 3 | Systems only affected if ASP.NET is explicitly installed, enabled, and registered with IIS. |
| MS14-055(Lync Server) | Attacker causes Lync server to fail by sending maliciously crated SIP invite requests to victim Lync server. | Important | 3 | Vulnerability is remote, unauthenticated denial-of-service but attacker must first have access to information present in a valid Lync Server meeting request. |
- Jonathan Ness, MSRC