Assessing Risk for the November 2014 Security Updates


Today we released fourteen security bulletins addressing 33 unique CVE’s. Four bulletins have a maximum severity rating of Critical, eight have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. This table is designed to help you prioritize the deployment of updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max Exploitability

Deployment Priority

Platform mitigations and key notes

MS14-064

(Windows OLE Component

User opens malicious Office document.

Critical

0

 

1

CVE-2014-6352 used in limited, targeted attacks in the wild.

MS14-066

(SChannel)

A malicious user sends specially crafted packets to an exposed service.

Critical

1

1

Internally found during a proactive security assessment.

MS14-065
(Internet Explorer)

User browses to a malicious webpage.

Critical

1

1

MS14-069
(Office)

User opens malicious Word document.

Important

1

2

Office 2010 and later versions are not affected by any of the vulnerabilities in this bulletin.

MS14-067
(MSXML)

User browses to a malicious webpage.

Critical

2

2

Only MSXML 3 is vulnerable.

MS14-073
(SharePoint)

User opens a malicious link.

Important

2

2

This is a Cross Site Scripting vulnerability.

MS14-078

(IME)

User opens a malicious PDF document with Adobe Reader.

Moderate

0

3

CVE-2014-4077 used in one targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.

MS14-071

(Windows Audio Service)

User browses to a malicious webpage.

Important

2

3

Local elevation of privilege only, could potentially be utilized as a sandbox escape.

MS14-070

(tcpip.sys)

An authenticated Windows user runs a malicious program on the target system.

Important

2

3

Local elevation of privilege only.

MS14-072

(.NET Framework)

Attacker sends malicious data to a vulnerable web application.

Important

2

3

Applications not using .NET Remoting are not vulnerable.

MS14-076

(IIS)

A whitelist-only site could be accessed by an attacker not connected to the proper domain. A blacklist could be similarly bypassed.

Important

3

3

The vulnerability manifests itself in configurations where the Domain Name Restrictions whitelist and blacklist features are used with entries that contain wildcards.

IP Address Restrictions are not affected

MS14-074

(RDP)

An authorization audit log could be bypassed in some scenarios.

Important

3

3

The vulnerability only applies to failed AuthZ scenarios, and not to failed AuthN. For example, if a valid user logon is attempted for a user that does not have privilege to RDP into a server, that event log may not be recorded. Event logs will still be recorded if an invalid user or password is presented.

MS14-077

(ADFS)

An authenticated user could not be logged out in some configurations.

Important

3

3

Manifests itself in a specific configuration where the ADFS server is configured to use a SAML Relying Party with no sign-out endpoint configured.

MS14-079

(Kernel Mode Drivers [win32k.sys])

User browses to malicious webpage.

Moderate

3

3

The vulnerability leads to denial of service only.

– Suha Can, MSRC Engineering

 


Comments (0)