Filed under: Web and Application Security
Tags: infosec, microsoft patch tuesday, security, web security, windows security
Microsoft is kicking off 2014 with a modest security bulletin, which includes several vulnerabilities for Windows XP and Windows Server 2003. Luckily, none of this week’s batch contain any critical vulnerabilities. We are graced with ‘Important’-level vulnerabilities across the board.
Nevertheless, as with any security update, we recommend downloading and applying as soon as possible.
Apply all the Patches
MS14-001: Microsoft Office, SharePoint Server, Office Web Apps
Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)
Attention Microsoft Office users with admin privileges: this update is intended for you. It fixes an issue in Microsoft Office that primarily affects 2010 and 2013 versions. If a specifically-crafted malicious file is opened using a vulnerable version of Word or other Office software, remote code can be executed. Microsoft says that a successful attack could allow the hacker gain the same user rights as the current user.
MS14-002: Windows XP, Windows Server 2003
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)
This update fixes a zero-day vulnerability in Microsoft Windows that could allow an elevation of privileges. In order for privilege escalation to occur, an attacker needs to log into a system and run a specially crafted application, Microsoft says. The attack must have valid logon credentials and have local access to exploit successfully. This vulnerability was made public in November and has been exploited in the wild, so it is imperative to patch applicable systems.
MS14-003: Windows 7, Windows Server 2008
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)
Similarly to MS14-002, this update resolves a vulnerability in Windows that can allow for the elevation of privileges with the execution of a specially crafted application. Again, the Kernel-Mode Drivers can only be exploited with valid credentials and local access.
MS14-004: Microsoft Dynamics
Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)
Lastly, Microsoft Dynamics gets a vulnerability patched. This vulnerability can allow for denial of service when an attacker submits specially crafted data to an AX Application Object Server instance.
No Comments »