Today we released seven security bulletins addressing 31 unique CVE’s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability||Likely first 30 days impact||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.||Addresses both memory corruption vulnerabilities and elevation of privilege vulnerabilities in a single package.|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.||The single CVE addressed by this bulletin is included in MS14-010 for IE9 users. Customers with IE9 installed need not deploy MS14-011.|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.||Internet Explorer is vector to this vulnerability in DirectWrite.|
|Victim browses to a malicious website to be exposed to this information leak vulnerability.||Important||3||Vulnerability first seen as ASLR bypass mechanism in targeted attacks during November 2013. May see attacks again begin using this again as details emerge.||As discussed in the SRD and FireEye blogs during November 2013, this vulnerability was used along with another vulnerability in active attacks. The MS13-090 security update completely blocked all attacks described by those blog posts.|
|Most likely to be exploited vulnerability involves attacker initiating but not completing POST requests to ASP.NET web application, resulting in resource exhaustion denial of service.||Important||1||Resource exhaustion attacks involving CVE-2014-0253 already in progress in the wild.||CVE-2014-0253 addresses resource exhaustion “Slowloris” attack.
CVE-2014-0257 addresses sandbox escape vulnerability invoving com objects running code out-of-process.
CVE-2014-0295 addresses the vsab7rt.dll ASLR bypass described at http://www.greyhathacker.net/?p=585.
(Forefront Protection for Exchange)
|Code is unlikely to be reachable. However, if attackers do find a way, it would involve a malicious email message being processed by the Forefront Protection for Exchange service.||Critical||2||Unlikely to see exploits developed targeting this vulnerability.||While this vulnerability’s attack vector appears attractive (email), the vulnerability is unlikely to be reachable. It was discovered internally by code analysis and we have not been successful in developing a real-world vulnerability trigger. We address it via security update out of an abundance of caution.|
|Attacker on the same subnet as victim (IPv6 link-local) sends large number of malicious router advertisements resulting in victim system bugcheck.||Important||3||Denial of service only.||This bugcheck is triggered by a watchdog timer on the system, not due to memory corruption. Affects Windows RT, Windows Server 2012 (not R2), and Windows 8 (not 8.1).|
- Jonathan Ness, MSRC