Headline
Assessing risk for the April 2014 security updates
Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploitability Likely first 30 days impact Platform mitigations and key notes MS14-017(Word) Victim opens a malicious RTF or DOC/DOCX file.
Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Bulletin
Most likely attack vector
Max Bulletin Severity
Max exploitability
Likely first 30 days impact
Platform mitigations and key notes
MS14-017(Word)
Victim opens a malicious RTF or DOC/DOCX file.
Critical
1
Likely to continue to see RTF and DOC based exploits for CVE-2014-1761.
Addresses vulnerability described by Security Advisory 2953095, an issue under targeted attack.
MS14-018(Internet Explorer)
Victim browses to a malicious webpage.
Critical
1
Likely to see reliable exploits developed within next 30 days.
MS14-020(Publisher)
Victim opens malicious Publisher (.PUB) file.
Important
1
While we may see reliable exploits developed within the next 30 days, unlikely to see widespread exploitation due to limited deployment of Publisher.
MS14-019(Windows File Handling)
Attacker places malicious .bat and/or .cmd file on a network share from which a victim launches an application that calls CreateProcess in an unsafe manner. Similar attack vector as DLL preloading.
Important
1
While this is an exploitable vulnerability, we have historically not seen widespread exploitation of this type of vulnerability.
More details about this vulnerability in this SRD blog post today.
- Jonathan Ness, MSRC engineering team
Related news
Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-029(Internet Explorer) Victim browses to a malicious webpage.