Patch Tuesday Lite: 4 non-critical updates from Microsoft

Patch Tuesday Lite: 4 non-critical updates from Microsoft

Summary: In the least-critical Patch Tuesday in over 2 years, Microsoft issues just 4 updates. One of them fixes a flaw that has been exploited in the wild.


Microsoft disclosed four security bulletins today describing a total of six vulnerabilities, and released product updates to address these vulnerabilities.

This is the first month since September 2011 that Microsoft has released no critical updates in a Patch Tuesday cycle, and the first since September 2012 that they have released four or fewer updates.

The four bulletins, all of which are rated Important:

  • MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities. [Note: The Internet Storm Center at the SANS Institute disagrees with Microsoft and calls these critical vulnerabilities.]
  • MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) —  A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003. Note: This vulnerability was reported back in November as being exploited in the wild.
  • MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must be have valid logon credentials and be able to log on locally.
  • MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — It's hard to get worked up about this one. If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning. We used to call these "crash bugs" but today they are denial of service vulnerabilities. To top it off, Microsoft says that working exploit code for this vulnerability is not likely.

Microsoft also released today a large number of non-security updates including a new version of the Windows Malicious Software Removal Tool.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Windows Defender

    Has anyone received the Windows Defender update (KB2894853) that was supposed to come out? I have not seen it on any pc and the Microsoft support page ( does not mention it anymore either.
    • Windows Defender

      "How to manually download the latest definition updates for Windows Defender"
      • Windows Defender

        Thanks, but this was not about a definition update, but about a program update.

        Update for Windows 8.1, Windows RT 8.1, Windows 8, and Windows RT (KB2894853)
        Install this update to improve protection functionality in Windows Defender. See the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
        • That number is gone

          Search for 2894853 on and you get no hits. It's not happening. There were updates issued in April ( and October (
          • Defender Definition Updates

            These show up as optional which means you have to do them manually. If you skip a few you will have to do them one at a time.
            1. Force a check updates.
            2. Select and install.
            3. When finished force a check updates.
            4. Select and install.
            5. When finished force a check updates.
            6. etc.
            This manual process must be repeated until it finally shows up there are no optional updates available.

            Choke, gag, choke.