Severity Rating: Important
Revision Note: V1.0 (June 10, 2014): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Category Archives: Microsft
Microsoft
MS14-031 – Important: Vulnerability in TCP Protocol Could Allow Denial of Service (2962478) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (June 10, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a sequence of specially crafted packets to the target system.
MS14-032 – Important: Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (June 10, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Lync Server. The vulnerability could allow information disclosure if a user tries to join a Lync meeting by clicking a specially crafted meeting URL..
2962824 – Update Rollup of Revoked Non-Compliant UEFI Modules – Version: 1.1
Revision Note: V1.1 (June 10, 2014): Advisory revised to announce a detection change for the update rollup (updates 2920189 and 2961908). This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: With this advisory, Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.
2862973 – Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program – Version: 3.0
Revision Note: V3.0 (June 10, 2014): Revised advisory to rerelease the 2862973 update for Windows 8 and Windows Server 2012. This rerelease only applies to systems running Windows Embedded 8 and Windows Server 2012 for Embedded Systems. See the Advisory FAQ for more information.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
MS14-029 – Critical: Security Update for Internet Explorer (2962482) – Version: 1.2
Severity Rating: Critical
Revision Note: V1.2 (May 27, 2014): Bulletin revised to correct the update replacement for the Internet Explorer 11 updates and to announce a detection change in the 2961851 update. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
MS14-025 – Important: Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (May 13, 2014): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker uses certain Active Directory Group Policy preferences extensions to configure, distribute and ultimately decrypt the passwords that are stored with Group Policy preferences.
MS14-022 – Critical: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166) – Version: 1.0
Severity Rating: Critical
Revision Note: V1.0 (May 13, 2014): Bulletin published.
Summary: This security update resolves multiple privately reported vulnerabilities in Microsoft Office server and productivity software. The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
MS14-024 – Important: Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (May 13, 2014): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in an implementation of the MSCOMCTL common controls library. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.
MS14-023 – Important: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037) – Version: 1.1
Severity Rating: Important
Revision Note: V1.1 (May 13, 2014): V1.1 (May 13, 2014): Corrected the update replacement for the Microsoft Office 2010 (proofing tools) (2878284) update.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.