Assessing risk for the January 2014 security updates
Today we released four security bulletins addressing six CVE’s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploit-ability rating | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-002(NDProxy, a kernel-mode driver) |
Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.
|
Important
|
1
|
Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox.
|
All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update.Addresses vulnerability described by security advisory 2914486.
|
| MS14-001(Word) |
Victim opens malicious Office document.
|
Important
|
1
|
Likely to see reliable exploits developed within next 30 days.
|
|
| MS14-003(win32k.sys, a kernel-mode driver) |
Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.
|
Important
|
1
|
Likely to see reliable exploits developed within next 30 days.
|
|
| MS14-004(Microsoft Dynamics AX) |
Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests.
|
Important
|
n/a
|
Denial of service only, not usable for code execution.
|
- Jonathan Ness, MSRC engineering