Today we released four security bulletins addressing six CVE’s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploit-ability rating | Likely first 30 days impact | Platform mitigations and key notes |
MS14-002 (NDProxy, a kernel-mode driver) | Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM. | Important | 1 | Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox. | All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update. Addresses vulnerability described by security advisory 2914486. |
MS14-001 (Word) | Victim opens malicious Office document. | Important | 1 | Likely to see reliable exploits developed within next 30 days. | |
MS14-003 (win32k.sys, a kernel-mode driver) | Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. | Important | 1 | Likely to see reliable exploits developed within next 30 days. | |
MS14-004 (Microsoft Dynamics AX) | Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests. | Important | n/a | Denial of service only, not usable for code execution. |
- Jonathan Ness, MSRC engineering