Today we released four security bulletins addressing six CVE’s. All four bulletins have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max exploit-ability rating||Likely first 30 days impact||Platform mitigations and key notes|
(NDProxy, a kernel-mode driver)
|Attacker able to run code at a low privilege level inside an application sandbox exploits this vulnerability to elevate privileges to SYSTEM.||Important||1||Likely to continue seeing Adobe PDF exploits leveraging this vulnerability to elevate privileges outside sandbox.||All exploits we have analyzed for this vulnerability attempt to exploit an already-patched Adobe Reader vulnerability, CVE-2013-3346. This Adobe vulnerability was addressed via a September 11, 2013 Adobe security update.
Addresses vulnerability described by security advisory 2914486.
|Victim opens malicious Office document.||Important||1||Likely to see reliable exploits developed within next 30 days.|
(win32k.sys, a kernel-mode driver)
|Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.||Important||1||Likely to see reliable exploits developed within next 30 days.|
(Microsoft Dynamics AX)
|Attacker able to authenticate to Dynamics server could cause denial-of-service condition preventing it from servicing other client requests.||Important||n/a||Denial of service only, not usable for code execution.|
– Jonathan Ness, MSRC engineering