Patch Tuesday Lite: 4 non-critical updates from Microsoft
Summary: In the least-critical Patch Tuesday in over 2 years, Microsoft issues just 4 updates. One of them fixes a flaw that has been exploited in the wild.
By Larry Seltzer for Zero Day | January 14, 2014 -- 18:23 GMT (10:23 PST)
Microsoft disclosed four security bulletins today describing a total of six vulnerabilities, and released product updates to address these vulnerabilities. This is the first month since September 2011 that Microsoft has released no critical updates in a Patch Tuesday cycle, and the first since September 2012 that they have released four or fewer updates.
The four bulletins, all of which are rated Important:
* MS14-001: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) — At least one of three memory corruption vulnerabilities affect every version of Word or the Word viewer, as well as the relevant parts of Office Web Apps and SharePoint. These are remote code execution vulnerabilities. [Note: The Internet Storm Center at the SANS Institute disagrees with Microsoft and calls these critical vulnerabilities.]
* MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — A user with valid logon credentials who is able to log on locally could run a special program and elevate privilege. This vulnerability affects only Windows XP and Windows Server 2003. Note: This vulnerability was reported back in November as being exploited in the wild.
*MS14-003: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) — Windows 7 and Windows Server 2008 R2 are vulnerable to a privilege elevation vulnerability. The user must be have valid logon credentials and be able to log on locally.
* MS14-004: Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826) — It's hard to get worked up about this one. If an authenticated attacker submits specially crafted data to an affected Microsoft Dynamics AX Application Object Server (AOS) instance, the AOS instance could stop functioning. We used to call these "crash bugs" but today they are denial of service vulnerabilities. To top it off, Microsoft says that working exploit code for this vulnerability is not likely.
Microsoft also released today a large number of non-security updates including a new version of the Windows Malicious Software Removal Tool.