Privilege Escalation Vulnerabilities Headline Modest January Security Bulletin

Posted: January 15th, 2014
Filed under: Web and Application Security
Tags: , , , ,

Microsoft is kicking off 2014 with a modest security bulletin, which includes several vulnerabilities for Windows XP and Windows Server 2003. Luckily, none of this week’s batch contain any critical vulnerabilities. We are graced with ‘Important’-level vulnerabilities across the board.

Nevertheless, as with any security update, we recommend downloading and applying as soon as possible.

Apply all the Patches

MS14-001: Microsoft Office, SharePoint Server, Office Web Apps

Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

Attention Microsoft Office users with admin privileges: this update is intended for you. It fixes an issue in Microsoft Office that primarily affects 2010 and 2013 versions. If a specifically-crafted malicious file is opened using a vulnerable version of Word or other Office software, remote code can be executed. Microsoft says that a successful attack could allow the hacker gain the same user rights as the current user.

See affected versions and download patches

MS14-002: Windows XP, Windows Server 2003

Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)

This update fixes a zero-day vulnerability in Microsoft Windows that could allow an elevation of privileges. In order for privilege escalation to occur, an attacker needs to log into a system and run a specially crafted application, Microsoft says. The attack must have valid logon credentials and have local access to exploit successfully. This vulnerability was made public in November and has been exploited in the wild, so it is imperative to patch applicable systems.

See affected versions and download patches

MS14-003: Windows 7, Windows Server 2008

Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)

Similarly to MS14-002, this update resolves a vulnerability in Windows that can allow for the elevation of privileges with the execution of a specially crafted application. Again, the Kernel-Mode Drivers can only be exploited with valid credentials and local access.

See affected versions and download patches

MS14-004: Microsoft Dynamics

Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)

Lastly, Microsoft Dynamics gets a vulnerability patched. This vulnerability can allow for denial of service when an attacker submits specially crafted data to an AX Application Object Server instance.

See affected versions and download patches


No Comments »

Leave a Reply