Severity Rating: Important
Revision Note: V1.0 (April 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an authenticated attacker runs a specially crafted application in a virtual machine (VM) session. Note that the denial of service does not allow an attacker to execute code or elevate user rights on other VMs running on the Hyper-V host; however, it could cause other VMs on the host to not be manageable in Virtual Machine Manager.

Revision Note: V1.0 (March 24, 2015): Advisory published.
Summary: Microsoft is aware of improperly issued digital certificates coming from the subordinate CA, MCS Holdings, which could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The improperly issued certificates cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows.

Revision Note: V1.0 (March 16, 2015): Advisory published.
Summary: Microsoft is aware of an improperly issued SSL certificate for the domain “live.fi” that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Severity Rating: Important
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker creates multiple Remote Desktop Protocol (RDP) sessions that fail to properly free objects in memory. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Severity Rating: Important
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker’s website, and then convince them to click the specially crafted URL.

Severity Rating: Important
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an exploitable cipher suite is affected.

Severity Rating: Important
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow security feature bypass if an attacker logs on to the system and runs a specially crafted application designed to increase privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Severity Rating: Critical
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Severity Rating: Important
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Severity Rating: Critical
Revision Note: V1.0 (March 10, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.