Assessing risk for the March 2014 security updates

/ By swiat / March 11, 2014

Today we released five security bulletins addressing 23 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin	Most likely attack vector	Max Bulletin Severity	Max Exploit-ability	Likely first 30 days impact	Platform mitigations and key notes
MS14-012(Internet Explorer)	Victim browses to a malicious webpage.	Critical	1	Likely to see reliable exploits developed within next 30 days.	Addresses vulnerability described by Security Advisory 2934088, an issue under targeted attack.
MS14-013(DirectShow)	Victim browses to a malicious webpage.	Critical	3	Unlikely to see reliable exploits developed within next 30 days.	Addresses single double-free issue in qedit.dll, reachable via a malicious webpage.
MS14-014(Silverlight)	Attacker combines this vulnerability with a (separate) code execution vulnerability to execute arbitrary code in the browser security context.	Important	n/a	No chance for direct code execution with this vulnerability.	This vulnerability does not result in code execution directly. However, it is a component attackers could use to bypass ASLR.
MS14-015(Kernel mode drivers)	Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.	Important	1	Likely to see reliable exploits developed within next 30 days.
MS14-016(Security Account Manager)	Attacker able to make API calls to security account manager password API able to brute-force password guessing attempts without triggering account lockout policy.	Important	n/a	No chance for direct code execution with this vulnerability.	Attacker must authenticate before calling the affected API. After authenticating, the attacker can choose to guess either their own or other user’s password without risk of lockout.

- Jonathan Ness, MSRC engineering team