Headline
CVE-2014-2815: Assessing risk for the August 2014 security updates – Microsoft Security Response Center
Microsoft OneNote 2007 SP3 allows remote attackers to execute arbitrary code via a crafted OneNote file that triggers creation of an executable file in a startup folder, aka “OneNote Remote Code Execution Vulnerability.”
Today we released nine security bulletins addressing 37 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other seven have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.
Bulletin
Most likely attack vector
Max Bulletin Severity
Max exploit-ability
Likely first 30 days impact
Platform mitigations and key notes
MS14-051
(Internet Explorer)
Victim browses to a malicious webpage.
Critical
0
Exploitation of CVE-2014-2817 detected in the wild. Used as a sandbox escape.
MS14-043
(Media Center)
On Media Center-equipped workstations (Win8.x Pro and all Win7 except Starter and Home Basic), victim opens malicious Office document or browses to malicious webpage that instantiates Media Center ActiveX control.
Critical
2
Less likely to see reliable exploits developed within next 30 days.
Server SKUs not affected. Windows 8 and Windows 8 RT not affected. Win7 Starter and Home Basic not affected.
Our repro is via Office document (Important class vector) not via ActiveX control but we believe the code is reachable via ActiveX.
MS14-048
(OneNote)
Victim opens malicious OneNote file that creates a file in startup folder leading to arbitrary code execution on next login.
Important
2
Less likely to see reliable exploits developed within next 30 days.
OneNote 2010 and OneNote 2013 not affected. (Only OneNote 2007 affected.)
MS14-045
(Kernel mode drivers [win32k.sys])
Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.
Important
2
Less likely to see reliable exploits developed within next 30 days.
MS14-049
(Microsoft Installer)
Attacker already running code at low privilege on a system where an MSI source location is available to low privilege users can tamper with the MSI and initiate a Repair operation to potentially run code as LocalSystem.
Important
2
Less likely to see reliable exploits developed within next 30 days.
MS14-044
(SQL Server denial-of-service)
Attacker able to authenticate at user level to SQL Server can run a TSQL batch command that causes a stack overrun that causes the server to stop responding.
Important
2
Less likely to see reliable exploits developed within next 30 days.
MS14-050
(SharePoint)
Victim installs a malicious third party SharePoint app that could potentially run arbitrary JavaScript that is run as the victim user as a custom action.
Important
2
Less likely to see reliable exploits developed within next 30 days.
MS14-046
(.NET Framework 2.0 ASLR bypass)
Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system.
Important
2
Less likely to see reliable exploits developed within next 30 days.
This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR. This potential ASLR bypass is not known to be in use in real-world attacks.
MS14-047
(LRPC ASLR bypass)
Attacker already running code on a machine can combine this vulnerability with a (separate) code execution vulnerability to compromise a system by connecting to locally-listening service and filling address space to more accurately predict future memory allocation.
Important
3
Unlikely to see reliable exploits developed within next 30 days.
This vulnerability does not result in code execution directly. However, it is a component attackers could potentially use to assist in bypassing ASLR if attacker is already running code locally.
– Jonathan Ness, MSRC