MS14-009 - Important: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege - Version: 1.3

Severity Rating: ImportantRevision Note: V1.3 (September 24, 2014): Bulletin revised to correct a missing Server Core installation entry in the Affected Software table for Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (2898855). This is an informational change only. Customers running this affected software on Server Core installations who have already applied the 2898855 update do not need to take any action. Customers running this affected software on Server Core installations who have not already installed the update should do so to be protected from the vulnerabilities addressed in this bulletin.Summary: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website.

Posted by on 24 September 2014 | 2:00 am

MS14-049 - Important: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490) - Version: 1.2

Severity Rating: ImportantRevision Note: V1.2 (September 24, 2014): Bulletin revised to change Known issues entry in the Knowledge Base Article section from None to Yes.Summary: This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Posted by on 24 September 2014 | 2:00 am

MS14-055 - Important: Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) - Version: 3.0

Severity Rating: ImportantRevision Note: V3.0 (September 23, 2014): Bulletin rereleased to announce the reoffering of the 2982385 security update file (server.msp) for Microsoft Lync Server 2010. See the Update FAQ for details.Summary: This security update resolves three privately reported vulnerabilities in Microsoft Lync Server. The most severe of these vulnerabilities could allow information disclosure if user clicks on a specially crafted URL. In all cases, however, an attacker would have to convince users to click on the specially crafted URL, typically by getting them to click the URL in an email message or in an Instant Messenger request.

Posted by on 23 September 2014 | 2:00 am

MS14-046 - Important: Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625) - Version: 1.2

Severity Rating: ImportantRevision Note: V1.2 (September 19, 2014): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes".Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow security feature bypass if a user visits a specially crafted website. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that could take advantage of the ASLR bypass to run arbitrary code.

Posted by on 19 September 2014 | 2:00 am

MS14-012 - Critical: Cumulative Security Update for Internet Explorer (2925418) - Version: 1.1

Severity Rating: CriticalRevision Note: V1.1 (September 18, 2014): Corrected the severity table and vulnerability information to add CVE-2014-4112 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.Summary: This security update resolves one publicly disclosed vulnerability and seventeen privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Posted by on 18 September 2014 | 2:00 am

MS14-053 - Important: Vulnerability in .NET Framework Could Allow Denial of Service (2990931) - Version: 1.1

Severity Rating: ImportantRevision Note: V1.1 (September 17, 2014): V1.1 (September 17, 2014): Bulletin revised to clarify language in the Executive Summary, Mitigating Factors, and Vulnerability FAQ sections that describes the attack vector for CVE-2014-4072. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.Summary: This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website. By default, ASP.NET is not installed when Microsoft .NET Framework is installed on any supported edition of Microsoft Windows. To be affected by the vulnerability, customers must manually install and enable ASP.NET by registering it with IIS.

Posted by on 17 September 2014 | 2:00 am

MS14-016 - Important: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418) - Version: 1.2

Severity Rating: ImportantRevision Note: V1.2 (September 10, 2014): Revised Update FAQ and entries in the Operating System column of the Affected Software table to further clarify what version of Active Directory must be installed on a system to be offered the update. These are informational changes only.Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.

Posted by on 10 September 2014 | 2:00 am

MS14-052 - Critical: Cumulative Security Update for Internet Explorer (2977629) - Version: 1.0

Severity Rating: CriticalRevision Note: V1.0 (September 9, 2014): Bulletin published.Summary: This security update resolves one publicly disclosed and thirty-six privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Posted by on 9 September 2014 | 2:00 am

MS14-054 - Important: Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948) - Version: 1.0

Severity Rating: ImportantRevision Note: V1.0 (September 9, 2014): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerability and take complete control over an affected system. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Posted by on 9 September 2014 | 2:00 am

MS14-028 - Important: Vulnerabilities in iSCSI Could Allow Denial of Service (2962485) - Version: 1.1

Severity Rating: ImportantRevision Note: V1.1 (September 3, 2014): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes".Summary: This security update resolves two vulnerabilities in the Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network. This vulnerability only affects servers for which the iSCSI target role has been enabled.

Posted by on 3 September 2014 | 2:00 am

MS14-045 - Important: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615) - Version: 3.0

Severity Rating: ImportantRevision Note: V3.0 (August 27, 2014): Bulletin rereleased to announce the replacement of the 2982791 update with the 2993651 update for all supported releases of Microsoft Windows. See the Update FAQ for details.Summary: This security update resolves three privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.

Posted by on 27 August 2014 | 2:00 am

MS14-044 - Important: Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340) - Version: 1.1

Severity Rating: ImportantRevision Note: V1.1 (August 13, 2014): Revised bulletin to correct the Update FAQ that addresses the question, Will these security updates be offered to SQL Server clusters?Summary: This security update resolves two privately reported vulnerabilities in Microsoft SQL Server (one in SQL Server Master Data Services and the other in the SQL Server relational database management system). The more severe of these vulnerabilities, affecting SQL Server Master Data Services, could allow elevation of privilege if a user visits a specially crafted website that injects a client-side script into the user's instance of Internet Explorer. In all cases, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email.

Posted by on 13 August 2014 | 2:00 am

MS14-043 - Critical: Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742) - Version: 1.0

Severity Rating: CriticalRevision Note: V1.0 (August 12, 2014): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that invokes Windows Media Center resources.

Posted by on 12 August 2014 | 2:00 am

MS14-036 - Critical: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) - Version: 2.0

Severity Rating: CriticalRevision Note: V2.0 (August 12, 2014): Rereleased bulletin to announce the offering of update 2881071 to replace update 2767915 for systems running Microsoft Office 2010 Service Pack 1 or Microsoft Office 2010 Service Pack 2. See the Update FAQ for details.Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Posted by on 12 August 2014 | 2:00 am

MS14-051 - Critical: Cumulative Security Update for Internet Explorer (2976627) - Version: 1.0

Severity Rating: CriticalRevision Note: V1.0 (August 12, 2014): Bulletin published.Summary: This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Posted by on 12 August 2014 | 2:00 am

MS14-050 - Important: Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (2977202) - Version: 1.0

Severity Rating: ImportantRevision Note: V1.0 (August 12, 2014): Bulletin published.Summary: This security update resolves one privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could use a specially crafted app to run arbitrary JavaScript in the context of the user on the current SharePoint site.

Posted by on 12 August 2014 | 2:00 am

MS14-048 - Important: Vulnerability in OneNote Could Allow Remote Code Execution (2977201) - Version: 1.0

Severity Rating: ImportantRevision Note: V1.0 (August 12, 2014): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft OneNote. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Posted by on 12 August 2014 | 2:00 am

MS14-047 - Important: Vulnerability in LRPC Could Allow Security Feature Bypass (2978668) - Version: 1.0

Severity Rating: ImportantRevision Note: V1.0 (August 12, 2014): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker uses the vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that takes advantage of the ASLR bypass to run arbitrary code.

Posted by on 12 August 2014 | 2:00 am

MS14-037 - Critical: Cumulative Security Update for Internet Explorer (2975687) - Version: 1.1

Severity Rating: CriticalRevision Note: V1.1 (July 29, 2014): Corrected the severity table and vulnerability information to add CVE-2014-4066 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.Summary: This security update resolves one publicly disclosed vulnerability and twenty-four privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Posted by on 29 July 2014 | 2:00 am

MS13-098 - Critical: Vulnerability in Windows Could Allow Remote Code Execution (2893294) - Version: 1.6

Severity Rating: CriticalRevision Note: V1.6 (July 29, 2014): Revised bulletin to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature.Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Posted by on 29 July 2014 | 2:00 am

MS14-030 - Important: Vulnerability in Remote Desktop Could Allow Tampering (2969259) - Version: 1.2

Severity Rating: ImportantRevision Note: V1.2 (July 16, 2014): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes"Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active RDP session, and then sends specially crafted RDP packets to the targeted system.

Posted by on 16 July 2014 | 2:00 am

MS14-039 - Important: Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685) - Version: 1.1

Severity Rating: ImportantRevision Note: V1.1 (July 16, 2014): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes".Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.

Posted by on 16 July 2014 | 2:00 am

MS14-033 - Important: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061) - Version: 1.1

Severity Rating: ImportantRevision Note: V1.1 (July 10, 2014): Bulletin revised to remove the prerequisite requirement for the MSXML 6.0 update on Windows Server 2003 systemsSummary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke MSXML through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website.

Posted by on 10 July 2014 | 2:00 am

MS14-041 - Important: Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) - Version: 1.0

Severity Rating: ImportantRevision Note: V1.0 (July 8, 2014): Bulletin publishedSummary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user. By default, the modern, immersive browsing experience on Windows 8 and Windows 8.1 runs with Enhanced Protected Mode (EPM). For example, customers using the touch-friendly Internet Explorer 11 browser on modern Windows tablets are using Enhanced Protected Mode by default. Enhanced Protected Mode uses advanced security protections that can help mitigate against exploitation of this vulnerability on 64-bit systems.

Posted by on 8 July 2014 | 2:00 am

MS14-038 - Critical: Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) - Version: 1.0

Severity Rating: CriticalRevision Note: V1.0 (July 8, 2014): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted Journal file.

Posted by on 8 July 2014 | 2:00 am