Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Bulletin | Most likely attack vector | Max Bulletin Severity | Max exploitability | Likely first 30 days impact | Platform mitigations and key notes |
(Word) |
Victim opens a malicious RTF or DOC/DOCX file. | Critical | 1 | Likely to continue to see RTF and DOC based exploits for CVE-2014-1761. | Addresses vulnerability described by Security Advisory 2953095, an issue under targeted attack. |
(Internet Explorer) |
Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | |
(Publisher) |
Victim opens malicious Publisher (.PUB) file. | Important | 1 | While we may see reliable exploits developed within the next 30 days, unlikely to see widespread exploitation due to limited deployment of Publisher. | |
(Windows File Handling) |
Attacker places malicious .bat and/or .cmd file on a network share from which a victim launches an application that calls CreateProcess in an unsafe manner. Similar attack vector as DLL preloading. | Important | 1 | While this is an exploitable vulnerability, we have historically not seen widespread exploitation of this type of vulnerability. | More details about this vulnerability in this SRD blog post today. |
– Jonathan Ness, MSRC engineering team