Quantcast
Channel: TechNet Blogs
Viewing all articles
Browse latest Browse all 17778

Assessing risk for the January 2014 security updates

$
0
0

Today we released four security bulletins addressing six CVE’s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

BulletinMost likely attack vectorMax Bulletin SeverityMax exploit-ability ratingLikely first 30 days impactPlatform mitigations and key notes
MS14-002

(NDProxy, a kernel-mode driver)

Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.Important1Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox.All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update.

Addresses vulnerability described by security advisory 2914486.

MS14-001

(Word)

Victim opens malicious Office document.Important1Likely to see reliable exploits developed within next 30 days. 
MS14-003

(win32k.sys, a kernel-mode driver)

Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.Important1Likely to see reliable exploits developed within next 30 days. 
MS14-004

(Microsoft Dynamics AX)

Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests.Importantn/aDenial of service only, not usable for code execution. 

- Jonathan Ness, MSRC engineering


Viewing all articles
Browse latest Browse all 17778

Trending Articles