Today we released seven security bulletins addressing 66 unique CVE’s.  Two bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.

Bulletin         Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes
MS14-035

(Internet Explorer)
Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. CVE count (59) is result of focusing on in-the-wild exploits last month. These are the May + June fixes for issues not under active attack.
MS14-034

(Word 2007)
Victim opens malicious Office document. Important 1 Likely to see reliable exploits developed within next 30 days. Issue addressed in embedded font parsing. Reachable via either doc or docx.  Word 2010 and later not affected.
MS14-036

(GDI+)
Victim open malicious graphics file or malicious PowerPoint document Critical 1 Likely to see reliable exploits developed within next 30 days. Issue addressed is in EMF+ record type parsing, an area we have not seen real-world attackers pursue recently.  (Hence, table lists Word security update ahead of GDI+ update.)
MS14-033

(MSXML)
Victim browses to a malicious webpage or opens a malicious document, inadvertently sending local path name of downloaded file to attacker.  Path name by default includes the user’s login name. Important 3 Less likely to see widespread usage of information disclosure vulnerabilities. Information disclosure only.
MS14-030

(Terminal Services)
Attacker acting as man-in-the-middle at the start of a Remote Desktop session may be able to read information from or tamper with RDP session. Important n/a Less likely to see widespread usage of vulnerabilities enabling tampering. Terminal Services NLA feature mitigates this vulnerability.

MS14-031

(TCP)
Attacker initiates large number of connections with malformed TCP options.  Each connection temporarily consumes non-paged pool memory longer than it should, leading to resource exhaustion. Important 3 Less likely to see widespread usage of vulnerability allowing resource exhaustion denial-of-service only. Attacker must control TCP Options fields.  Attacker would be unable to cause denial-of-service for systems behind network infrastructure that overwrites the TCP Options field.
MS14-032

(Lync Server XSS)
Victim clicks on a specially-crafted malicious link to an established Lync meeting.  Attacker can take action in context of Lync Server service that victim would normally have access to take. Important 3 Less likely to see widespread usage of this vulnerability. XSS style vulnerability.

 

- Jonathan Ness, MSRC engineering team