Today we released seven security bulletins addressing 31 unique CVE’s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes
MS14-010

(Internet Explorer)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Addresses both memory corruption vulnerabilities and elevation of privilege vulnerabilities in a single package.
MS14-011

(VBScript)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. The single CVE addressed by this bulletin is included in MS14-010 for IE9 users. Customers with IE9 installed need not deploy MS14-011.
MS14-007

(DirectWrite)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Internet Explorer is vector to this vulnerability in DirectWrite.
MS14-005

(MSXML)

Victim browses to a malicious website to be exposed to this information leak vulnerability. Important 3 Vulnerability first seen as ASLR bypass mechanism in targeted attacks during November 2013. May see attacks again begin using this again as details emerge. As discussed in the SRD and FireEye blogs during November 2013, this vulnerability was used along with another vulnerability in active attacks. The MS13-090 security update completely blocked all attacks described by those blog posts.
MS14-009

(.NET Framework)

Most likely to be exploited vulnerability involves attacker initiating but not completing POST requests to ASP.NET web application, resulting in resource exhaustion denial of service. Important 1 Resource exhaustion attacks involving CVE-2014-0253 already in progress in the wild. CVE-2014-0253 addresses resource exhaustion “Slowloris” attack.

CVE-2014-0257 addresses sandbox escape vulnerability invoving com objects running code out-of-process.

CVE-2014-0295 addresses the vsab7rt.dll ASLR bypass described at http://www.greyhathacker.net/?p=585.

MS14-008

(Forefront Protection for Exchange)

Code is unlikely to be reachable. However, if attackers do find a way, it would involve a malicious email message being processed by the Forefront Protection for Exchange service. Critical 2 Unlikely to see exploits developed targeting this vulnerability. While this vulnerability’s attack vector appears attractive (email), the vulnerability is unlikely to be reachable. It was discovered internally by code analysis and we have not been successful in developing a real-world vulnerability trigger. We address it via security update out of an abundance of caution.
MS14-006

(IPv6)

Attacker on the same subnet as victim (IPv6 link-local) sends large number of malicious router advertisements resulting in victim system bugcheck. Important 3 Denial of service only. This bugcheck is triggered by a watchdog timer on the system, not due to memory corruption. Affects Windows RT, Windows Server 2012 (not R2), and Windows 8 (not 8.1).

- Jonathan Ness, MSRC