Assessing risk for the September 2014 security updates

Today we released four security bulletins addressing 42 unique CVE’s. One bulletin has a maximum severity rating of Critical and the other three have maximum severity Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploitability Index Rating Platform mitigations and key notes

(Internet Explorer)

Victim browses to a malicious webpage. Critical 0

Exploitation of CVE-2013-7331 detected in the wild as an information disclosure to determine whether EMET or a third party anti-malware product is installed prior to launching exploit for different vulnerability.

No remote code execution vulnerabilities being addressed in this update are known to be under active attack.

(Task Scheduler)

Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. Important 1  

(.NET Framework)

Attacker causes compute resource exhaustion denial of service on ASP.NET webserver by sending maliciously crafted HTTP/HTTPS requests. Important 3 Systems only affected if ASP.NET is explicitly installed, enabled, and registered with IIS.

(Lync Server)

Attacker causes Lync server to fail by sending maliciously crated SIP invite requests to victim Lync server. Important 3 Vulnerability is remote, unauthenticated denial-of-service but attacker must first have access to information present in a valid Lync Server meeting request.

– Jonathan Ness, MSRC