Microsoft fixes 29 Windows vulnerabilities

Microsoft fixes 29 Windows vulnerabilities

Summary: UPDATED. This Patch Tuesday brings six updates but the first, a Cumulative Update for Internet Explorer, fixes 24 of the vulnerabilities.


Microsoft today released six security bulletins and updates to address the vulnerabilities disclosed in them. The updates address a total of 29 vulnerabilities.

Update at 2:20 pm ET: This story is updated below to clarify the exploitability of MS14-042.

  • MS14-037: Cumulative Security Update for Internet Explorer (2975687) — This update fixes 24 vulnerabilities, all of them memory corruption vulnerabilities, in every supported version of Internet Explorer. Ironically, the only IE version for which there are no critical vulnerabilities in this update is IE6 on Windows Server 2003. None of the vulnerabilities had been publicly disclosed or exploited.

  • MS14-038: Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) — A user who opens a specially-crafted Journal file can be exploited in their user context. All versions of Windows since Vista are affected and the vulnerability is critical on all of them. Running as a standard user limits the potential damage.

  • MS14-039: Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685) — When the on-screen keyboard is triggered by a malicious low-integrity process, that process could load and execute programs with the privileges of the current user. This vulnerability is rated important.

  • MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) — An attacker who has rights to log on locally could run a malicious program that would elevate privileges to kernel mode. This vulnerability is rated important.

  • MS14-041: Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) — A user could elevate privilege by running a malicious program from a low-integrity process. Running IE in immersive mode with Enhanced Protected Mode helps to mitigate this problem. This vulnerability is rated important.

  • MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) — A remote authenticated attacker could create and run a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system, triggering a denial of service. This vulnerability is rated moderate.

The Microsoft Exploitability Index this month's updates says that successful exploit code for 28 of the 29 vulnerabilities is "likely." The 29th is rated Moderate and therefore not rated as to exploitability. 

As is usually the case, Microsoft will also release a new version of the Windows Malicious Software Removal Tool and a large collection of non-security updates to various Windows versions.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • WOW!! And I thought Windows 8/8.1 were more secure.

    Then again, it's been said that about every Microsoft Windows version. Too F'N funny!!
    Arm A. Geddon
    • One more thing...

      Windows 7 FTW!!
      Arm A. Geddon
    • non-security

      To be clear, that long list of updates at the bottom of the story is a list of non-security updates.
      • BUT...BUT...BUT...

        Larry. I still see more Windows 8/8.1 flaws then Windows 7.
        Arm A. Geddon
        • As expected

          Wouldn't you expect a newer OS to have more flaws than a more mature product like Win 7?
          • Nope

            See Microsoft's SDL.
            Rabid Howler Monkey
          • XP is more matured

            With that line of reasoning, it is obvious that XP is more matured than Win7, hence less buggy.
          • Direct from the author/writer himself

            [i]" Ironically, the only IE version for which there are no critical vulnerabilities in this update is IE6 on Windows Server 2003. [/i]
          • Huh?

            You're making us laugh.
        • Reading comprehension

          Isn't your strength. Most of the patches were for IE, and that was a cumulative patch. Mr. Goff is correct on both Win 8.1 and OS patching. But don't let facts get in the way of your posts.
          Luke Skywalker
          • Re: Reading comprehension

            No, mine is fine thank you very much. I think you have the problem. I think you arrived here too late. As you can see the article was updated probably to hide all those Windows 8/8.1 flaws that were listed. Sorry, but don't let the facts get in the way of your Microsoft fanboyism.
            Arm A. Geddon
          • Take off your tin foil hat

            and use that little brain of yours for something other than trolling.
          • He was a an abused child

            you have to forgive is asinine nature.
        • Where do you see that?

          I see as many security vulnerabilities and updates for 7 as for 8.
          If you're talking about the list below that, many of those items are not bugs. Read the list. You can also assume that they're looking for things to do in Win8 far more than on Win 7.
          • what it is

            Many of the win8 updates are new versions of the Modern apps for systems that are configured for WSUS only and no access to the store.
    • Windows 8/8.1 is more secure

      than any version before it.
      Michael Alan Goff
    • More secure does not mean completely secure.

      Learn the difference.
      • what's completely secure?

        Nothing's completely secure
        • My point exactlt

          "Nothing's completely secure"

          The only one's who think so are the ABM'ers
  • Hi Larry!! Better check some of your links. I'm getting a few of these...

    The page you are looking for may have a new location, or is no longer available.
    Arm A. Geddon