Assessing Risk for the November 2014 Security Updates
Today we released fourteen security bulletins addressing 33 unique CVE’s. Four bulletins have a maximum severity rating of Critical, eight have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. This table is designed to help you prioritize the deployment of updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploitability | Deployment Priority | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS14-064(Windows OLE Component |
User opens malicious Office document.
|
Critical
|
0
|
1
|
CVE-2014-6352 used in limited, targeted attacks in the wild.
|
| MS14-066(SChannel) |
A malicious user sends specially crafted packets to an exposed service.
|
Critical
|
1
|
1
|
Internally found during a proactive security assessment.
|
| MS14-065 (Internet Explorer) |
User browses to a malicious webpage.
|
Critical
|
1
|
1
|
|
| MS14-069 (Office) |
User opens malicious Word document.
|
Important
|
1
|
2
|
Office 2010 and later versions are not affected by any of the vulnerabilities in this bulletin.
|
| MS14-067 (MSXML) |
User browses to a malicious webpage.
|
Critical
|
2
|
2
|
Only MSXML 3 is vulnerable.
|
| MS14-073 (SharePoint) |
User opens a malicious link.
|
Important
|
2
|
2
|
This is a Cross Site Scripting vulnerability.
|
| MS14-078(IME) |
User opens a malicious PDF document with Adobe Reader.
|
Moderate
|
0
|
3
|
CVE-2014-4077 used in one targeted attack in the wild to bypass Adobe Reader Sandbox via binary hijacking using malicious DIC file.
|
| MS14-071(Windows Audio Service) |
User browses to a malicious webpage.
|
Important
|
2
|
3
|
Local elevation of privilege only, could potentially be utilized as a sandbox escape.
|
| MS14-070(tcpip.sys) |
An authenticated Windows user runs a malicious program on the target system.
|
Important
|
2
|
3
|
Local elevation of privilege only.
|
| MS14-072(.NET Framework) |
Attacker sends malicious data to a vulnerable web application.
|
Important
|
2
|
3
|
Applications not using .NET Remoting are not vulnerable.
|
| MS14-076(IIS) |
A whitelist-only site could be accessed by an attacker not connected to the proper domain. A blacklist could be similarly bypassed.
|
Important
|
3
|
3
|
The vulnerability manifests itself in configurations where the Domain Name Restrictions whitelist and blacklist features are used with entries that contain wildcards.IP Address Restrictions are not affected
|
| MS14-074(RDP) |
An authorization audit log could be bypassed in some scenarios.
|
Important
|
3
|
3
|
The vulnerability only applies to failed AuthZ scenarios, and not to failed AuthN. For example, if a valid user logon is attempted for a user that does not have privilege to RDP into a server, that event log may not be recorded. Event logs will still be recorded if an invalid user or password is presented.
|
| MS14-077(ADFS) |
An authenticated user could not be logged out in some configurations.
|
Important
|
3
|
3
|
Manifests itself in a specific configuration where the ADFS server is configured to use a SAML Relying Party with no sign-out endpoint configured.
|
| MS14-079(Kernel Mode Drivers [win32k.sys]) |
User browses to malicious webpage.
|
Moderate
|
3
|
3
|
The vulnerability leads to denial of service only.
|
- Suha Can, MSRC Engineering