Assessing risk for the April 2014 security updates

Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max exploitability

Likely first 30 days impact

Platform mitigations and key notes

MS14-017(Word)

Victim opens a malicious RTF or DOC/DOCX file.

Critical

1

Likely to continue to see RTF and DOC based exploits for CVE-2014-1761.

Addresses vulnerability described by Security Advisory 2953095, an issue under targeted attack.

MS14-018(Internet Explorer)

Victim browses to a malicious webpage.

Critical

1

Likely to see reliable exploits developed within next 30 days.

MS14-020(Publisher)

Victim opens malicious Publisher (.PUB) file.

Important

1

While we may see reliable exploits developed within the next 30 days, unlikely to see widespread exploitation due to limited deployment of Publisher.

MS14-019(Windows File Handling)

Attacker places malicious .bat and/or .cmd file on a network share from which a victim launches an application that calls CreateProcess in an unsafe manner. Similar attack vector as DLL preloading.

Important

1

While this is an exploitable vulnerability, we have historically not seen widespread exploitation of this type of vulnerability.

More details about this vulnerability in this SRD blog post today.

- Jonathan Ness, MSRC engineering team