Microsoft has released four security bulletins and updates to address them. A total of 42 vulnerabilities are addressed in these updates.
- MS14-052: Cumulative Security Update for Internet Explorer (2977629) — This update fixes 37 vulnerabilities, one of them publicly-disclosed back in February. The other 36 are all memory corruption vulnerabilities. The worst of them could allow an attacker to run code on the user's system in the context of the user. The public one is less severe and the attack detected relied on particular versions of Adobe Flash. All versions of Windows other than the Server Core versions are affected by these bugs. It is rated critical on client versions of the operating system and Moderate on server versions. This is the only security update of the four today to address a Critical vulnerability. The new versions of IE 10 and 11 also incorporate the .
- MS14-053: Vulnerability in .NET Framework Could Allow Denial of Service (2990931) — This is a single vulnerability which affects all current versions of the Microsoft .NET Framework except version 3.5 Service Pack 1. All versions of Windows, including the Server Core versions except for the non-R2 versions of Windows Server 2008 are affected by this vulnerability. It is rated Important on all of them.
- MS14-054: Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948) — An attacker who logged on to the system and ran a malicious program could elevate privilege to that of the local system account. This single vulnerability affects only the current generations of Windows: Windows RT, Windows 8.x and Windows Server 2012 and Windows Server 2012 R2, including Server Core. It is rated Important on all of them.
- MS14-055: Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) — An attacker who sends a specially-crafted request to Microsoft Lync Server 2010 or 2013 could cause a denial of service in the server.
Note that to be offered any security updates on Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2, the 2919355 update must be installed on the system. To be offered any security updates for Internet Explorer 11 on Windows 7 or Windows Server 2008 R2,update 2929437 must be installed on the system.
Asked about the vulnerability that went unaddressed for months, a Microsoft spokesperson provided this statement: "There are many factors that affect the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability is different, with its own unique challenges. Microsoft follows an extensive process involving thorough investigation, update development for all versions of affected products, and testing for compatibility among other operating systems and related applications."