Assessing risk for the January 2014 security updates

Today we released four security bulletins addressing six CVE’s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max exploit-ability rating

Likely first 30 days impact

Platform mitigations and key notes

MS14-002(NDProxy, a kernel-mode driver)

Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.

Important

1

Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox.

All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update.Addresses vulnerability described by security advisory 2914486.

MS14-001(Word)

Victim opens malicious Office document.

Important

1

Likely to see reliable exploits developed within next 30 days.

MS14-003(win32k.sys, a kernel-mode driver)

Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.

Important

1

Likely to see reliable exploits developed within next 30 days.

MS14-004(Microsoft Dynamics AX)

Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests.

Important

n/a

Denial of service only, not usable for code execution.

- Jonathan Ness, MSRC engineering