Microsoft today released six security bulletins and updates to address the vulnerabilities disclosed in them. The updates address a total of 29 vulnerabilities.
Update at 2:20 pm ET: This story is updated below to clarify the exploitability of MS14-042.
- MS14-037: Cumulative Security Update for Internet Explorer (2975687) — This update fixes 24 vulnerabilities, all of them memory corruption vulnerabilities, in every supported version of Internet Explorer. Ironically, the only IE version for which there are no critical vulnerabilities in this update is IE6 on Windows Server 2003. None of the vulnerabilities had been publicly disclosed or exploited.
- MS14-038: Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) — A user who opens a specially-crafted Journal file can be exploited in their user context. All versions of Windows since Vista are affected and the vulnerability is critical on all of them. Running as a standard user limits the potential damage.
- MS14-039: Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685) — When the on-screen keyboard is triggered by a malicious low-integrity process, that process could load and execute programs with the privileges of the current user. This vulnerability is rated important.
- MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) — An attacker who has rights to log on locally could run a malicious program that would elevate privileges to kernel mode. This vulnerability is rated important.
- MS14-041: Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) — A user could elevate privilege by running a malicious program from a low-integrity process. Running IE in immersive mode with Enhanced Protected Mode helps to mitigate this problem. This vulnerability is rated important.
- MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) — A remote authenticated attacker could create and run a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system, triggering a denial of service. This vulnerability is rated moderate.
The Microsoft Exploitability Index this month's updates says that successful exploit code for 28 of the 29 vulnerabilities is "likely." The 29th is rated Moderate and therefore not rated as to exploitability.
As is usually the case, Microsoft will also release a new version of the Windows Malicious Software Removal Tool and a large collection of non-security updates to various Windows versions.