Assessing risk for the August 2014 security updates
Today we released nine security bulletins addressing 37 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other seven have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-051(Internet Explorer) |
Victim browses to a malicious webpage.
|
Critical
|
0
|
Exploitation of CVE-2014-2817 detected in the wild. Used as a sandbox escape.
|
|
| MS14-043(Media Center) |
On Media Center-equipped workstations (Win8.x Pro and all Win7 except Starter and Home Basic), victim opens malicious Office document or browses to malicious webpage that instantiates Media Center ActiveX control.
|
Critical
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
Server SKUs not affected. Windows 8 and Windows 8 RT not affected. Win7 Starter and Home Basic not affected.Our repro is via Office document (Important class vector) not via ActiveX control but we believe the code is reachable via ActiveX.
|
| MS14-048(OneNote) |
Victim opens malicious OneNote file that creates a file in startup folder leading to arbitrary code execution on next login.
|
Important
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
OneNote 2010 and OneNote 2013 not affected. (Only OneNote 2007 affected.)
|
| MS14-045(Kernel mode drivers [win32k.sys]) |
Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.
|
Important
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
|
| MS14-049(Microsoft Installer) |
Attacker already running code at low privilege on a system where an MSI source location is available to low privilege users can tamper with the MSI and initiate a Repair operation to potentially run code as LocalSystem.
|
Important
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
|
| MS14-044(SQL Server denial-of-service) |
Attacker able to authenticate at user level to SQL Server can run a TSQL batch command that causes a stack overrun that causes the server to stop responding.
|
Important
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
|
| MS14-050(SharePoint) |
Victim installs a malicious third party SharePoint app that could potentially run arbitrary JavaScript that is run as the victim user as a custom action.
|
Important
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
|
| MS14-046(.NET Framework 2.0 ASLR bypass) |
Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system.
|
Important
|
2
|
Less likely to see reliable exploits developed within next 30 days.
|
This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR. This potential ASLR bypass is not known to be in use in real-world attacks.
|
| MS14-047(LRPC ASLR bypass) |
Attacker already running code on a machine can combine this vulnerability with a (separate) code execution vulnerability to compromise a system by connecting to locally-listening service and filling address space to more accurately predict future memory allocation.
|
Important
|
3
|
Unlikely to see reliable exploits developed within next 30 days.
|
This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR if attacker is already running code locally.
|
- Jonathan Ness, MSRC