Microsoft has released their monthly Patch Tuesday updates. There are seven updates: six for Windows, one for Microsoft Forefront Protection 2010 for Exchange Server. Three of the Windows updates are rated Critical, the other three Important.
A total of 32 vulnerabilities are addressed in these updates, 24 of them in the Cumulative Update for Internet Explorer. Four of the vulnerabilities have already been publicly disclosed, according to Microsoft and, for two of those, Microsoft is aware of targeted attacks in the wild which attempt to exploit it. Microsoft credits 13 different researchers for reporting vulnerabilities to them.
- MS14-005: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) — This fixes one non-critical, publicy-disclosed vulnerability which could disclose files or other content on the system when the user views content in Internet Explorer which is designed to invoke the XML Core Services. Oddly, Microsoft says both that successful exploit code is unlikely and that they are aware of attacks in the wild which attempt to exploit it.
- MS14-006: Vulnerability in IPv6 Could Allow Denial of Service (2904659) — One non-critical vulnerability affecting Windows 8, Windows RT and Windows Server 2012.
- MS14-007: Vulnerability in Direct2D Could Allow Remote Code Execution (2912390) — This is a single Microsoft Graphics Component Memory Corruption Vulnerability, rated critical, which could allow remote code execution vulnerability when the user views specially-crafted content in Internet Explorer on Windows 7, Windows 8, Windows RT, Windows 8.1, Windows RT 8.1, Windows Server 2012 or Windows Server 2012 RT.
- MS14-008: Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022) — An attacker could run code in the context of the configured service account.
- MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) — Three .NET vulnerabilities, two of them publicly-disclosed. The most serious could allow elevation of privilege from viewing web content.
- MS14-010: Cumulative Security Update for Internet Explorer (2909921) — 24 vulnerabilities, one of which is publicly disclosed. 23 are memory corruption vulnerabilities and the last a Cross-domain Information Disclosure Vulnerability.
- MS14-011: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390) — Remote code execution is possible when the user visits a malicious web site.
In their initial Advance Notification for this month, Microsoft indicated that there would be five updates, four for Windows. On Monday they issued an updated Advance Notification Bulletin which added two extra updates for Windows. They are MS14-005 and MS14-006 in the list above.