Update Reports

Microsoft Windows Security Updates




Bulletin ID:
MS14-075
Title:
Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712)
Update Type:
Security Update
Severity:
Important
Date:
2014-12-16
Description:
This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.
Vulnerabilities:
CVE-2014-6319
CVE-2014-6325
CVE-2014-6326
CVE-2014-6336
Included Updates:
2986475
2996150
3009712
3011140
Applies to:
Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010 Service Pack 3
Microsoft Exchange Server 2013 Cumulative Update 6
Microsoft Exchange Server 2013 Service Pack 1

Bulletin ID:
MS14-085
Title:
Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
Update Type:
Security Update
Severity:
Important
Date:
2014-12-09
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system. The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR).
Vulnerabilities:
CVE-2013-6355
CVE-2014-6355
Included Updates:
3013126
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-083
Title:
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
Update Type:
Security Update
Severity:
Important
Date:
2014-12-09
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-6360
CVE-2014-6361
Included Updates:
2910902
2910929
2920790
2984942
3017347
Applies to:
Microsoft Excel 2007 Service Pack 3
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 (32-bit editions)
Microsoft Excel 2013 (64-bit editions)
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Office Compatibility Pack Service Pack 3

Bulletin ID:
MS14-082
Title:
Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
Update Type:
Security Update
Severity:
Important
Date:
2014-12-09
Description:
This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-6364
Included Updates:
2553154
2596927
2726958
3017349
Applies to:
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 (32-bit editions)
Microsoft Office 2013 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)

Bulletin ID:
MS14-081
Title:
Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
Update Type:
Security Update
Severity:
Critical
Date:
2014-12-09
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-6356
CVE-2014-6357
Included Updates:
2883050
2889851
2899518
2899519
2899581
2910892
2910916
2920729
2920792
2920793
3017301
Applies to:
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 (32-bit editions)
Microsoft Word 2013 (64-bit editions)
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word Viewer

Bulletin ID:
MS14-066
Title:
Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
Update Type:
Security Update
Severity:
Critical
Date:
2014-12-09
Description:
This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.
Vulnerabilities:
CVE-2014-6321
Included Updates:
2992611
Applies to:
SA2868725
SA2871997
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-065
Title:
Cumulative Security Update for Internet Explorer (3003057)
Update Type:
Security Update
Severity:
Critical
Date:
2014-12-09
Description:
This security update resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-6323
CVE-2014-6339
Included Updates:
3003057
Applies to:
Internet Explorer 10
Internet Explorer 11
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Bulletin ID:
MS14-068
Title:
Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780)
Update Type:
Security Update
Severity:
Critical
Date:
2014-11-18
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.
Vulnerabilities:
CVE-2014-6324
Included Updates:
3011780
Applies to:
SA2871997
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-079
Title:
Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)
Update Type:
Security Update
Severity:
Moderate
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
Vulnerabilities:
CVE-2014-6317
Included Updates:
3002885
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-078
Title:
Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)
Update Type:
Security Update
Severity:
Moderate
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could allow sandbox escape based on the application sandbox policy on a system where an affected version of the Microsoft IME (Japanese) is installed. An attacker who successfully exploited this vulnerability could escape the sandbox of a vulnerable application and gain access to the affected system with logged-in user rights. If the affected system is logged in with administrative rights, an attacker could then install programs; view, change or delete data; or create new accounts with full administrative rights.
Vulnerabilities:
CVE-2014-4077
Included Updates:
2889913
2991963
2992719
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-077
Title:
Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the user has logged off.
Vulnerabilities:
CVE-2014-6331
Included Updates:
3003381
Applies to:
Active Directory Federation Services 2.0
Active Directory Federation Services 2.1
Active Directory Federation Services 3.0

Bulletin ID:
MS14-076
Title:
Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Internet Information Services (IIS) that could lead to a bypass of the "IP and domain restrictions" security feature. Successful exploitation of this vulnerability could result in clients from restricted or blocked domains having access to restricted web resources.
Vulnerabilities:
CVE-2014-4078
Included Updates:
2982998
Applies to:
Microsoft Internet Information Services 8.0
Microsoft Internet Information Services 8.5

Bulletin ID:
MS14-074
Title:
Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass when Remote Desktop Protocol (RDP) fails to properly log audit events. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Vulnerabilities:
CVE-2014-6318
Included Updates:
3003743
Applies to:
SA2871997
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-073
Title:
Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
Vulnerabilities:
CVE-2014-4116
Included Updates:
2889838
3000431
Applies to:
Microsoft SharePoint Foundation 2010 Service Pack 2

Bulletin ID:
MS14-072
Title:
Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. Only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability.
Vulnerabilities:
CVE-2014-4149
Included Updates:
2978114
2978116
2978120
2978121
2978122
2978124
2978125
2978126
2978127
2978128
3005210
Applies to:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5.1/4.5.2
Microsoft .NET Framework 4.5/4.5.1/4.5.2

Bulletin ID:
MS14-071
Title:
Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an application uses the Microsoft Windows Audio service. The vulnerability by itself does not allow arbitrary code to be run. The vulnerability would have to be used in conjunction with another vulnerability that allowed remote code execution.
Vulnerabilities:
CVE-2014-6322
Included Updates:
3005607
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-070
Title:
Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a publically reported vulnerability in TCP/IP that occurs during input/output control (IOCTL) processing. This vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. If this process runs with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Vulnerabilities:
CVE-2014-4076
Included Updates:
2989935
Applies to:
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2

Bulletin ID:
MS14-069
Title:
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office 2007. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-6333
CVE-2014-6334
CVE-2014-6335
Included Updates:
2899526
2899527
2899553
3009710
Applies to:
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Word 2007 Service Pack 3
Microsoft Word Viewer

Bulletin ID:
MS14-067
Title:
Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)
Update Type:
Security Update
Severity:
Critical
Date:
2014-11-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website.
Vulnerabilities:
CVE-2014-4118
Included Updates:
2993958
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-064
Title:
Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)
Update Type:
Security Update
Severity:
Critical
Date:
2014-11-11
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-6332
CVE-2014-6352
Included Updates:
3006226
3010788
3011443
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-049
Title:
Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490)
Update Type:
Security Update
Severity:
Important
Date:
2014-11-11
Description:
This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2012-4784
CVE-2014-1814
Included Updates:
2918614
2962490
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-063
Title:
Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)
Update Type:
Security Update
Severity:
Important
Date:
2014-10-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. An elevation of privilege vulnerability exists in the way the Windows FASTFAT system driver interacts with FAT32 disk partitions. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
Vulnerabilities:
CVE-2014-4115
Included Updates:
2998579
Applies to:
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-062
Title:
Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)
Update Type:
Security Update
Severity:
Important
Date:
2014-10-14
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker sends a specially crafted input/output control (IOCTL) request to the Message Queuing service. Successful exploitation of this vulnerability could lead to full access to the affected system. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually enable the Message Queuing component are likely to be vulnerable to this issue.
Vulnerabilities:
CVE-2014-4971
Included Updates:
2993254
Applies to:
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2

Bulletin ID:
MS14-061
Title:
Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434)
Update Type:
Security Update
Severity:
Important
Date:
2014-10-14
Description:
This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if an attacker convinces a user to open a specially crafted Microsoft Word file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-4117
Included Updates:
2883008
2883013
2883031
2883032
2883098
2889827
3000434
Applies to:
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 1 (32-bit editions)
Microsoft Office 2010 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 1 (32-bit editions)
Microsoft Word 2010 Service Pack 1 (64-bit editions)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)

Bulletin ID:
MS14-060
Title:
Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)
Update Type:
Security Update
Severity:
Important
Date:
2014-10-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-4114
Included Updates:
3000869
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-059
Title:
Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)
Update Type:
Security Update
Severity:
Important
Date:
2014-10-14
Description:
This security update resolves a publicly disclosed vulnerability in ASP.NET MVC. The vulnerability could allow security feature bypass if an attacker convinces a user to click a specially crafted link or to visit a webpage that contains specially crafted content designed to exploit the vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a web browser, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email.
Vulnerabilities:
CVE-2014-4075
Included Updates:
2990942
2992080
2993928
2993937
2993939
2994397
Applies to:
ASP.NET MVC 2.0
ASP.NET MVC 3.0
ASP.NET MVC 4.0
ASP.NET MVC 5.0
ASP.NET MVC 5.1

Bulletin ID:
MS14-058
Title:
Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)
Update Type:
Security Update
Severity:
Critical
Date:
2014-10-14
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message.
Vulnerabilities:
CVE-2014-4113
CVE-2014-4148
Included Updates:
3000061
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-057
Title:
Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)
Update Type:
Security Update
Severity:
Critical
Date:
2014-10-14
Description:
This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.
Vulnerabilities:
CVE-2014-4073
CVE-2014-4121
CVE-2014-4122
Included Updates:
2968292
2968294
2968295
2968296
2972098
2972100
2972101
2972103
2972105
2972106
2972107
2978041
2978042
2979568
2979570
2979571
2979573
2979574
2979575
2979576
2979577
2979578
3000414
Applies to:
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5.1/4.5.2
Microsoft .NET Framework 4.5/4.5.1/4.5.2

Bulletin ID:
MS14-056
Title:
Cumulative Security Update for Internet Explorer (2987107)
Update Type:
Security Update
Severity:
Critical
Date:
2014-10-14
Description:
This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-4123
CVE-2014-4124
CVE-2014-4126
CVE-2014-4127
CVE-2014-4128
CVE-2014-4129
CVE-2014-4130
CVE-2014-4132
CVE-2014-4133
CVE-2014-4134
CVE-2014-4137
CVE-2014-4138
CVE-2014-4140
CVE-2014-4141
Included Updates:
2987107
Applies to:
Internet Explorer 10
Internet Explorer 11
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Bulletin ID:
MS14-042
Title:
Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621)
Update Type:
Security Update
Severity:
Moderate
Date:
2014-10-14
Description:
This security update resolves one publicly disclosed vulnerability in Microsoft Service Bus for Windows Server. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system. Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system. For an affected system to be vulnerable Microsoft Service Bus must first be downloaded, installed, and configured, and then its configuration details (farm certificate) shared with other users.
Vulnerabilities:
CVE-2014-2814
Included Updates:
2972621
Applies to:
Microsoft Service Bus 1.1

Bulletin ID:
MS14-046
Title:
Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625)
Update Type:
Security Update
Severity:
Important
Date:
2014-10-07
Description:
This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow security feature bypass if a user visits a specially crafted website. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that could take advantage of the ASLR bypass to run arbitrary code.
Vulnerabilities:
CVE-2014-4062
Included Updates:
2937608
2937610
2943344
2943357
2966825
2966826
2966827
2966828
2984625
Applies to:
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1

Bulletin ID:
MS14-055
Title:
Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-23
Description:
This security update resolves three privately reported vulnerabilities in Microsoft Lync Server. The most severe of these vulnerabilities could allow denial of service if an attacker sends a specially crafted request to a Lync server.
Vulnerabilities:
CVE-2014-4068
CVE-2014-4070
CVE-2014-4071
Included Updates:
2982385
2982388
2982389
2982390
2986072
2990928
2992965
Applies to:
Microsoft Lync Server 2010
Microsoft Lync Server 2013

Bulletin ID:
MS14-054
Title:
Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2014-4074
Included Updates:
2988948
Applies to:
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2

Bulletin ID:
MS14-053
Title:
Vulnerability in .NET Framework Could Allow Denial of Service (2990931)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website. By default, ASP.NET is not installed when Microsoft .NET Framework is installed on any supported edition of Microsoft Windows. To be affected by the vulnerability, customers must manually install and enable ASP.NET by registering it with IIS.
Vulnerabilities:
CVE-2014-4072
Included Updates:
2972207
2972211
2972212
2972213
2972214
2972215
2972216
2973112
2973113
2973114
2973115
2974268
2974269
2977765
2977766
2990931
Applies to:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5.1/4.5.2
Microsoft .NET Framework 4.5/4.5.1/4.5.2

Bulletin ID:
MS14-052
Title:
Cumulative Security Update for Internet Explorer (2977629)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed and thirty-six privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2013-7331
CVE-2014-2799
CVE-2014-4059
CVE-2014-4065
CVE-2014-4079
CVE-2014-4080
CVE-2014-4081
CVE-2014-4082
CVE-2014-4083
CVE-2014-4084
CVE-2014-4085
CVE-2014-4086
CVE-2014-4087
CVE-2014-4088
CVE-2014-4089
CVE-2014-4090
CVE-2014-4091
CVE-2014-4092
CVE-2014-4093
CVE-2014-4094
CVE-2014-4095
CVE-2014-4096
CVE-2014-4097
CVE-2014-4098
CVE-2014-4099
CVE-2014-4100
CVE-2014-4101
CVE-2014-4102
CVE-2014-4103
CVE-2014-4104
CVE-2014-4105
CVE-2014-4106
CVE-2014-4107
CVE-2014-4108
CVE-2014-4109
CVE-2014-4110
CVE-2014-4111
Included Updates:
2977629
Applies to:
Internet Explorer 10
Internet Explorer 11
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Bulletin ID:
MS13-017
Title:
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves three privately reported vulnerabilities in all supported releases of Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.
Vulnerabilities:
CVE-2013-1278
CVE-2013-1279
CVE-2013-1280
Included Updates:
2799494
Applies to:
Server Core installation option
Windows 2008 R2
Windows 7
Windows 8
Windows RT
Windows Server 2003
Windows Server 2008
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS13-016
Title:
Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778344)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves 30 privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.
Vulnerabilities:

Included Updates:
2778344
Applies to:
Server Core installation option
Windows 2008 R2
Windows 7
Windows 8
Windows RT
Windows Server 2003
Windows Server 2008
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS13-005
Title:
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application.
Vulnerabilities:
CVE-2013-0008
Included Updates:
2778930
Applies to:
Server Core Installation Option
Windows 7
Windows 8
Windows RT
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista

Bulletin ID:
MS12-078
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType or OpenType font files. An attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes them to the attacker's website.
Vulnerabilities:
CVE-2012-2556
CVE-2012-4786
Included Updates:
2753842
2779030
2783534
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS12-075
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves three privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes them to the attacker's website.
Vulnerabilities:
CVE-2012-2530
CVE-2012-2553
CVE-2012-2897
Included Updates:
2761226
Applies to:
Server Core installation option

Bulletin ID:
MS12-068
Title:
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in all supported releases of Microsoft Windows except Windows 8 and Windows Server 2012. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2012-2529
Included Updates:
2724197
Applies to:
Server Core installation option
Windows 7
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP

Bulletin ID:
MS12-055
Title:
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2012-2527
Included Updates:
2731847
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-047
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2012-1890
CVE-2012-1893
Included Updates:
2718523
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-043
Title:
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website.
Vulnerabilities:
CVE-2012-1889
Included Updates:
2596856
2687627
2719985
2721691
2721693
2722479
Applies to:
Office 2003
Office 2007
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-042
Title:
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2012-0217
CVE-2012-1515
Included Updates:
2707511
2709715
2711167
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008 R2
Windows XP

Bulletin ID:
MS12-041
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities.
Vulnerabilities:
CVE-2012-1864
CVE-2012-1865
CVE-2012-1866
CVE-2012-1867
CVE-2012-1868
Included Updates:
2709162
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-032
Title:
Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
Vulnerabilities:
CVE-2012-0174
CVE-2012-0179
Included Updates:
2688338
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS12-019
Title:
Vulnerability in DirectWrite Could Allow Denial of Service (2665364)
Update Type:
Security Update
Severity:
Moderate
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in Windows DirectWrite. In an Instant Messenger-based attack scenario, the vulnerability could allow denial of service if an attacker sends a specially crafted sequence of Unicode characters directly to an Instant Messenger client. The target application could become unresponsive when DirectWrite renders the specially crafted sequence of Unicode characters.
Vulnerabilities:
CVE-2012-0156
Included Updates:
2665364
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS12-018
Title:
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2012-0157
Included Updates:
2641653
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-008
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
Vulnerabilities:
CVE-2011-5046
CVE-2012-0154
Included Updates:
2660465
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-097
Title:
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2011-3408
Included Updates:
2620712
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-087
Title:
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.
Vulnerabilities:
CVE-2011-3402
Included Updates:
2639417
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-084
Title:
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
Update Type:
Security Update
Severity:
Moderate
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.
Vulnerabilities:
CVE-2011-2004
Included Updates:
2617657
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008 R2

Bulletin ID:
MS11-083
Title:
Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.
Vulnerabilities:
CVE-2011-2013
Included Updates:
2588516
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS11-077
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment. For a remote attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the specially crafted font file, or open the file as an e-mail attachment.
Vulnerabilities:
CVE-2011-1985
CVE-2011-2002
CVE-2011-2003
CVE-2011-2011
Included Updates:
2567053
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-068
Title:
Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
Update Type:
Security Update
Severity:
Moderate
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user visits a network share (or visits a Web site that points to a network share) containing a specially crafted file. In all cases, however, an attacker would have no way to force a user to visit such a network share or Web site. Instead, an attacker would have to convince a user to do so, typically by getting the user to click a link in an e-mail message or Instant Messenger message.
Vulnerabilities:
CVE-2011-1971
Included Updates:
2556532
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS11-064
Title:
Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends a sequence of specially crafted Internet Control Message Protocol (ICMP) messages to a target system or sends a specially crafted URL request to a server that is serving Web content and has the URL-based Quality of Service (QoS) feature enabled.
Vulnerabilities:
CVE-2011-1871
CVE-2011-1965
Included Updates:
2563894
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS11-063
Title:
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2011-1967
Included Updates:
2567680
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-056
Title:
Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves five privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS). The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.
Vulnerabilities:
CVE-2011-1281
CVE-2011-1282
CVE-2011-1283
CVE-2011-1284
CVE-2011-1870
Included Updates:
2507938
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-054
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves 15 privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
Vulnerabilities:
CVE-2011-1874
CVE-2011-1875
CVE-2011-1876
CVE-2011-1877
CVE-2011-1878
CVE-2011-1879
CVE-2011-1880
CVE-2011-1881
CVE-2011-1882
CVE-2011-1883
CVE-2011-1884
CVE-2011-1885
CVE-2011-1886
CVE-2011-1887
CVE-2011-1888
Included Updates:
2555917
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-046
Title:
Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.
Vulnerabilities:
CVE-2011-1249
Included Updates:
2503665
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-041
Title:
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a network share (or visits a web site that points to a network share) containing a specially crafted OpenType font (OTF). In all cases, however, an attacker would have no way to force a user to visit such a web site or network share. Instead, an attacker would have to convince a user to visit the web site or network share, typically by getting them to click a link in an e-mail message or Instant Messenger message.
Vulnerabilities:
CVE-2011-1873
Included Updates:
2525694
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP x64 Edition

Bulletin ID:
MS11-038
Title:
Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user visits a Web site containing a specially crafted Windows Metafile (WMF) image. In all cases, however, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to convince users to visit a malicious Web site, typically by getting them to click a link in an e-mail message or Instant Messenger request.
Vulnerabilities:
CVE-2011-0658
Included Updates:
2476490
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-034
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves thirty privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerabilities:

Included Updates:
2506223
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-032
Title:
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in the OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
Vulnerabilities:
CVE-2011-0034
Included Updates:
2507618
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-031
Title:
Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow remote code execution if a user visited a specially crafted Web site. An attacker would have no way to force users to visit the Web site. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
Vulnerabilities:
CVE-2011-0663
Included Updates:
2510531
2510581
2510587
2514666
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-027
Title:
Cumulative Security Update of ActiveX Kill Bits (2508272)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for three third-party ActiveX controls.
Vulnerabilities:
CVE-2010-0811
CVE-2010-3973
CVE-2011-1243
Included Updates:
2508272
Applies to:
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-026
Title:
Vulnerability in MHTML Could Allow Information Disclosure (2503658)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. In a Web-based attack scenario, a Web site could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open the specially crafted link.
Vulnerabilities:
CVE-2011-0096
Included Updates:
2503658
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-020
Title:
Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
Vulnerabilities:
CVE-2011-0661
Included Updates:
2508429
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-013
Title:
Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if a local, authenticated attacker installs a malicious service on a domain-joined computer.
Vulnerabilities:
CVE-2011-0043
CVE-2011-0091
Included Updates:
2425227
2478971
2496930
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008 R2
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-012
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2011-0086
CVE-2011-0087
CVE-2011-0088
CVE-2011-0089
CVE-2011-0090
Included Updates:
2479628
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-009
Title:
Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
Vulnerabilities:
CVE-2011-0031
Included Updates:
2475792
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008 R2

Bulletin ID:
MS11-007
Title:
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
Vulnerabilities:
CVE-2011-0033
Included Updates:
2485376
Applies to:
Windows 7
Windows 7 Language Packs
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-098
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-3939
CVE-2010-3940
CVE-2010-3941
CVE-2010-3942
CVE-2010-3943
CVE-2010-3944
Included Updates:
2436673
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-095
Title:
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file type such as .eml and .rss (Windows Live Mail) or .wpost (Microsoft Live Writer) located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
Vulnerabilities:
CVE-2010-3966
Included Updates:
2385678
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008 R2

Bulletin ID:
MS10-091
Title:
Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Vulnerabilities:
CVE-2010-3956
CVE-2010-3957
CVE-2010-3959
Included Updates:
2296199
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-085
Title:
Vulnerability in SChannel Could Allow Denial of Service (2207566)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow denial of service if an affected system received a specially crafted packet message via Secure Sockets Layer (SSL). By default, all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not configured to receive SSL network traffic.
Vulnerabilities:
CVE-2010-3229
Included Updates:
2207566
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS10-073
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves several publicly disclosed vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-2549
CVE-2010-2743
CVE-2010-2744
Included Updates:
981957
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-058
Title:
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege due to an error in the processing of a specific input buffer. An attacker who is able to log on to the target system could exploit this vulnerability and run arbitrary code with system-level privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Vulnerabilities:
CVE-2010-1892
CVE-2010-1893
Included Updates:
978886
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS10-054
Title:
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
Vulnerabilities:
CVE-2010-2550
CVE-2010-2551
CVE-2010-2552
Included Updates:
982214
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-051
Title:
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
Vulnerabilities:
CVE-2010-2561
Included Updates:
2079403
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-049
Title:
Vulnerabilities in SChannel could allow Remote Code Execution (980436)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site.
Vulnerabilities:
CVE-2009-3555
CVE-2010-2566
Included Updates:
980436
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-048
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed and four privately reported vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-1887
CVE-2010-1894
CVE-2010-1895
CVE-2010-1896
CVE-2010-1897
Included Updates:
2160329
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-047
Title:
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-1888
CVE-2010-1889
CVE-2010-1890
Included Updates:
981852
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP

Bulletin ID:
MS10-046
Title:
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2568
Included Updates:
2286198
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-037
Title:
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow elevation of privilege if a user views content rendered in a specially crafted CFF font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-0819
Included Updates:
980218
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-034
Title:
Cumulative Security Update of ActiveX Kill Bits (980195)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update addresses two privately reported vulnerabilities for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, and Windows 7, and Moderate for all supported editions of Windows Server 2003, Windows Server2008, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-0252
CVE-2010-0811
Included Updates:
980195
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-032
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font.
Vulnerabilities:
CVE-2010-0484
CVE-2010-0485
CVE-2010-1255
Included Updates:
979559
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-022
Title:
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves a publicly disclosed vulnerability in VBScript on Microsoft Windows that could allow remote code execution. This security update is rated Important for Microsoft Windows 2000, Windows XP, and Windows Server 2003. On Windows Server 2008, Windows Vista, Windows 7, and Windows Server 2008 R2, the vulnerable code is not exploitable, however, as the code is present, this update is provided as a defense-in-depth measure and has no severity rating. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities:
CVE-2010-0483
Included Updates:
981169
981332
981349
981350
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-021
Title:
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2010-0234
CVE-2010-0235
CVE-2010-0236
CVE-2010-0237
CVE-2010-0238
CVE-2010-0481
CVE-2010-0482
CVE-2010-0810
Included Updates:
979683
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-020
Title:
Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
Vulnerabilities:
CVE-2009-3676
CVE-2010-0269
CVE-2010-0270
CVE-2010-0476
CVE-2010-0477
Included Updates:
980232
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-019
Title:
Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves two privately reported vulnerabilities in Windows Authenticode Verification that could allow remote code execution. An attacker who successfully exploited either vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Vulnerabilities:
CVE-2010-0486
CVE-2010-0487
Included Updates:
978601
979309
981210
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-012
Title:
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-09
Description:
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
Vulnerabilities:
CVE-2010-0020
CVE-2010-0021
CVE-2010-0022
CVE-2010-0231
Included Updates:
971468
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-006
Title:
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-09
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.
Vulnerabilities:
CVE-2010-0016
CVE-2010-0017
Included Updates:
978251
Applies to:
Windows 2000
Windows 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS13-036
Title:
Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the most severe vulnerabilities.
Vulnerabilities:
CVE-2013-1283
CVE-2013-1291
CVE-2013-1292
CVE-2013-1293
Included Updates:
2808735
2829996
2840149
Applies to:
Server Core Installation Option
Windows 2008 R2
Windows 7
Windows 8
Windows RT
Windows Server 2003
Windows Server 2008
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS13-031
Title:
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
Vulnerabilities:
CVE-2013-1284
CVE-2013-1294
Included Updates:
2813170
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows RT
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS13-029
Title:
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2013-1296
Included Updates:
2813345
2813347
2828223
Applies to:
Windows 7
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP

Bulletin ID:
MS13-027
Title:
Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves three privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow elevation of privilege if an attacker gains access to a system.
Vulnerabilities:
CVE-2013-1285
CVE-2013-1286
CVE-2013-1287
Included Updates:
2807986
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS13-019
Title:
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2013-0076
Included Updates:
2790113
Applies to:
Server Core installation option
Windows 7
Windows Server 2008 R2

Bulletin ID:
MS13-018
Title:
Vulnerability in TCP/IP Could Allow Denial of Service (2790655)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an unauthenticated attacker sends a specially crafted connection termination packet to the server.
Vulnerabilities:
CVE-2013-0075
Included Updates:
2790655
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows RT
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista

Bulletin ID:
MS13-006
Title:
Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in the implementation of SSL and TLS in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker intercepts encrypted web traffic handshakes.
Vulnerabilities:
CVE-2013-0013
Included Updates:
2785220
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows RT
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista

Bulletin ID:
MS13-002
Title:
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves two privately reported vulnerabilities in Microsoft XML Core Services. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website.
Vulnerabilities:
CVE-2013-0006
CVE-2013-0007
Included Updates:
2687497
2687499
2756145
2757638
2758694
2758696
2760574
Applies to:
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for 64-bit Systems
Windows RT
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows XP Professional x64 Edition Service Pack 2
Windows XP Service Pack 3

Bulletin ID:
MS13-001
Title:
Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution (2769369)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a print server received a specially crafted print job. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.
Vulnerabilities:
CVE-2013-0011
Included Updates:
2769369
Applies to:
Server Core installation option
Windows 7
Windows Server 2008 R2

Bulletin ID:
MS12-082
Title:
Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to view a specially crafted Office document with embedded content. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-1537
Included Updates:
2770660
Applies to:
Windows 7
Windows 8
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Vista
Windows XP

Bulletin ID:
MS12-081
Title:
Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user browses to a folder that contains a file or subfolder with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-4774
Included Updates:
2758857
Applies to:
Server Core installation option
Windows 7
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP

Bulletin ID:
MS12-072
Title:
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user browses to a specially crafted briefcase in Windows Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-1527
CVE-2012-1528
Included Updates:
2727528
Applies to:
Operating System

Bulletin ID:
MS12-069
Title:
Vulnerability in Kerberos Could Allow Denial of Service (2743555)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote attacker sends a specially crafted session request to the Kerberos server. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Vulnerabilities:
CVE-2012-2551
Included Updates:
2743555
Applies to:
Server Core installation option
Windows 7
Windows Server 2008 R2

Bulletin ID:
MS12-056
Title:
Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines on 64-bit versions of Microsoft Windows. The vulnerability could allow remote code execution if a user visited a specially crafted website. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Vulnerabilities:
CVE-2012-2523
Included Updates:
2706045
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP x64 Edition

Bulletin ID:
MS12-054
Title:
Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted response to a Windows print spooler request. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.
Vulnerabilities:
CVE-2012-1850
CVE-2012-1851
CVE-2012-1852
CVE-2012-1853
Included Updates:
2705219
2712808
2733594
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-049
Title:
Vulnerability in TLS Could Allow Information Disclosure (2655992)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a publicly disclosed vulnerability in TLS. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected.
Vulnerabilities:
CVE-2012-1870
Included Updates:
2655992
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-048
Title:
Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file or directory with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-0175
Included Updates:
2691442
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-045
Title:
Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-1891
Included Updates:
2698365
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-036
Title:
Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Vulnerabilities:
CVE-2012-0173
Included Updates:
2685939
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-034
Title:
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
Vulnerabilities:
CVE-2011-3402
CVE-2012-0159
CVE-2012-0162
CVE-2012-0164
CVE-2012-0165
CVE-2012-0167
CVE-2012-0176
CVE-2012-0180
CVE-2012-0181
CVE-2012-1848
Included Updates:
2589337
2596672
2596792
2598253
2636927
2656405
2656407
2656409
2656410
2656411
2658846
2659262
2660649
2676562
2681578
2686509
2690729
Applies to:
Office 2003
Office 2007
Office 2010
Silverlight
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-033
Title:
Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2012-0178
Included Updates:
2690533
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS12-024
Title:
Vulnerability in Windows Could Allow Remote Code Execution (2653956)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
Vulnerabilities:
CVE-2012-0151
Included Updates:
2653956
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-020
Title:
Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Vulnerabilities:
CVE-2012-0002
CVE-2012-0152
Included Updates:
2621440
2667402
2671387
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-013
Title:
Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment. An attacker who successfully exploited the vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-0150
Included Updates:
2654428
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS12-009
Title:
Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.
Vulnerabilities:
CVE-2012-0148
CVE-2012-0149
Included Updates:
2645640
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP x64 Edition

Bulletin ID:
MS12-006
Title:
Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Vulnerabilities:
CVE-2011-3389
Included Updates:
2585542
2638806
2643584
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-005
Title:
Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-0013
Included Updates:
2584146
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-004
Title:
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2012-0003
CVE-2012-0004
Included Updates:
2598479
2628259
2628642
2631813
2636391
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS12-001
Title:
Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.
Vulnerabilities:
CVE-2012-0001
Included Updates:
2644615
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP x64 Edition

Bulletin ID:
MS11-092
Title:
Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.
Vulnerabilities:
CVE-2011-3401
Included Updates:
2619339
2619340
2648048
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-090
Title:
Cumulative Security Update of ActiveX Kill Bits (2618451)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
Vulnerabilities:
CVE-2011-3397
Included Updates:
2618451
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-085
Title:
Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.
Vulnerabilities:
CVE-2011-2016
Included Updates:
2620704
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS11-076
Title:
Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a publicly disclosed vulnerability in Windows Media Center. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Media Center could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file.
Vulnerabilities:
CVE-2011-2009
Included Updates:
2579686
2579692
2604926
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Vista

Bulletin ID:
MS11-075
Title:
Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in the Microsoft Active Accessibility component. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, the Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
Vulnerabilities:
CVE-2011-1247
Included Updates:
2564958
2605295
2623699
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-071
Title:
Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2011-1991
Included Updates:
2570947
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-059
Title:
Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate Excel file (such as a .xlsx file) that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2011-1975
Included Updates:
2560656
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008 R2

Bulletin ID:
MS11-053
Title:
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in the Windows Bluetooth Stack. The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability only affects systems with Bluetooth capability.
Vulnerabilities:
CVE-2011-1265
Included Updates:
2532531
2561109
2566220
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Vista

Bulletin ID:
MS11-048
Title:
Vulnerability in SMB Server Could Allow Denial of Service (2536275)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit this vulnerability.
Vulnerabilities:
CVE-2011-1267
Included Updates:
2536275
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008
Windows Server 2008 R2
Windows Vista

Bulletin ID:
MS11-043
Title:
Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
Vulnerabilities:
CVE-2011-1268
Included Updates:
2536276
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-037
Title:
Vulnerability in MHTML Could Allow Information Disclosure (2544893)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user opens a specially crafted URL from an attacker's web site. An attacker would have to convince the user to visit the web site, typically by getting them to follow a link in an e-mail message or Instant Messenger message.
Vulnerabilities:
CVE-2011-1894
Included Updates:
2544893
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-030
Title:
Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet.
Vulnerabilities:
CVE-2011-0657
Included Updates:
2509553
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-024
Title:
Vulnerabilities in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opened a specially crafted fax cover page file (.cov) using the Windows Fax Cover Page Editor. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-3974
CVE-2010-4701
Included Updates:
2491683
2506212
2527308
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-019
Title:
Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
Vulnerabilities:
CVE-2011-0654
CVE-2011-0660
Included Updates:
2511455
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS11-015
Title:
Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
Update Type:
Security Update
Severity:
Critical
Date:
2014-09-02
Description:
This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.
Vulnerabilities:
CVE-2011-0032
CVE-2011-0042
Included Updates:
2479943
2494132
2502898
2510030
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS10-081
Title:
Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011)
Update Type:
Security Update
Severity:
Important
Date:
2014-09-02
Description:
This security update resolves a privately reported vulnerability in the Windows common control library. The vulnerability could allow remote code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2010-2746
Included Updates:
2296011
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
Windows XP x64 Edition

Bulletin ID:
MS14-045
Title:
Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615)
Update Type:
Security Update
Severity:
Important
Date:
2014-08-27
Description:
This security update resolves three privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
Vulnerabilities:
CVE-2014-0318
CVE-2014-1819
CVE-2014-4064
Included Updates:
2976897
2984615
2993651
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-051
Title:
Cumulative Security Update for Internet Explorer (2976627)
Update Type:
Security Update
Severity:
Critical
Date:
2014-08-12
Description:
This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-2774
CVE-2014-2784
CVE-2014-2796
CVE-2014-2808
CVE-2014-2810
CVE-2014-2811
CVE-2014-2817
CVE-2014-2818
CVE-2014-2819
CVE-2014-2820
CVE-2014-2821
CVE-2014-2822
CVE-2014-2823
CVE-2014-2824
CVE-2014-2825
CVE-2014-2826
CVE-2014-2827
CVE-2014-4050
CVE-2014-4051
CVE-2014-4052
CVE-2014-4055
CVE-2014-4056
CVE-2014-4057
CVE-2014-4058
CVE-2014-4063
CVE-2014-4067
CVE-2014-4145
CVE-2014-6354
Included Updates:
2976627
Applies to:
Internet Explorer 10
Internet Explorer 11
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Bulletin ID:
MS14-050
Title:
Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (2977202)
Update Type:
Security Update
Severity:
Important
Date:
2014-08-12
Description:
This security update resolves one privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could use a specially crafted app to run arbitrary JavaScript in the context of the user on the current SharePoint site.
Vulnerabilities:
CVE-2014-2816
Included Updates:
2880994
2977202
Applies to:
Microsoft Knowledge Base Article 2880994
Microsoft Knowledge Base Article 887012
Microsoft Knowledge Base Article 912203

Bulletin ID:
MS14-048
Title:
Vulnerability in OneNote Could Allow Remote Code Execution (2977201)
Update Type:
Security Update
Severity:
Important
Date:
2014-08-12
Description:
This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft OneNote. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-2815
Included Updates:
2596857
2977201
Applies to:
Microsoft OneNote 2007 Service Pack 3

Bulletin ID:
MS14-047
Title:
Vulnerability in LRPC Could Allow Security Feature Bypass (2978668)
Update Type:
Security Update
Severity:
Important
Date:
2014-08-12
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker uses the vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that takes advantage of the ASLR bypass to run arbitrary code.
Vulnerabilities:
CVE-2014-0316
Included Updates:
2978668
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2012
Windows Server 2012 R2

Bulletin ID:
MS14-044
Title:
Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340)
Update Type:
Security Update
Severity:
Important
Date:
2014-08-12
Description:
This security update resolves two privately reported vulnerabilities in Microsoft SQL Server (one in SQL Server Master Data Services and the other in the SQL Server relational database management system). The more severe of these vulnerabilities, affecting SQL Server Master Data Services, could allow elevation of privilege if a user visits a specially crafted website that injects a client-side script into the user's instance of Internet Explorer. In all cases, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email.
Vulnerabilities:
CVE-2014-1820
CVE-2014-4061
Included Updates:
2977315
2977316
2977319
2977320
2977321
2977322
2977325
2977326
2984340
Applies to:
Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2
Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2
Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2
Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3
Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1
Microsoft SQL Server 2012 for x64-based Systems Service Pack 1
Microsoft SQL Server 2014 for x64-based Systems

Bulletin ID:
MS14-043
Title:
Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742)
Update Type:
Security Update
Severity:
Critical
Date:
2014-08-12
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that invokes Windows Media Center resources. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-4060
Included Updates:
2978742
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Media Center

Bulletin ID:
MS14-036
Title:
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)
Update Type:
Security Update
Severity:
Critical
Date:
2014-08-12
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-1817
CVE-2014-1818
Included Updates:
2767915
2863942
2878233
2881013
2881069
2881071
2957503
2957509
2963284
2963285
2964718
2964736
2965155
2965161
2967487
Applies to:


Bulletin ID:
MS11-098
Title:
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
Update Type:
Security Update
Severity:
Important
Date:
2014-08-12
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Vulnerabilities:
CVE-2011-2018
Included Updates:
2633171
Applies to:
Windows 7
Windows Embedded Standard 7
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Vista
Windows XP

Bulletin ID:
MS14-041
Title:
Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681)
Update Type:
Security Update
Severity:
Important
Date:
2014-07-08
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user. By default, the modern, immersive browsing experience on Windows 8 and Windows 8.1 runs with Enhanced Protected Mode (EPM). For example, customers using the touch-friendly Internet Explorer 11 browser on modern Windows tablets are using Enhanced Protected Mode by default. Enhanced Protected Mode uses advanced security protections that can help mitigate against exploitation of this vulnerability on 64-bit systems.
Vulnerabilities:
CVE-2014-2780
Included Updates:
2972280
2973932
2975681
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-040
Title:
Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684)
Update Type:
Security Update
Severity:
Important
Date:
2014-07-08
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2014-1767
Included Updates:
2961072
2973408
2975684
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-039
Title:
Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685)
Update Type:
Security Update
Severity:
Important
Date:
2014-07-08
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
Vulnerabilities:
CVE-2014-2781
Included Updates:
2973201
2973906
2975685
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-038
Title:
Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689)
Update Type:
Security Update
Severity:
Critical
Date:
2014-07-08
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-1824
Included Updates:
2971850
2974286
2975689
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-033
Title:
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)
Update Type:
Security Update
Severity:
Important
Date:
2014-06-16
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website.
Vulnerabilities:
CVE-2014-1816
Included Updates:
2939576
2957482
2966061
2966631
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-031
Title:
Vulnerability in TCP Protocol Could Allow Denial of Service (2962478)
Update Type:
Security Update
Severity:
Important
Date:
2014-06-16
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a sequence of specially crafted packets to the target system.
Vulnerabilities:
CVE-2014-1811
Included Updates:
2957189
2961858
2962478
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-030
Title:
Vulnerability in Remote Desktop Could Allow Tampering (2969259)
Update Type:
Security Update
Severity:
Important
Date:
2014-06-16
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Vulnerabilities:
CVE-2014-0296
Included Updates:
2965788
2966034
2969259
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2

Bulletin ID:
MS14-034
Title:
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)
Update Type:
Security Update
Severity:
Important
Date:
2014-06-10
Description:
This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-2778
Included Updates:
2880513
2880515
2969261
Applies to:
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Word 2007 Service Pack 3

Bulletin ID:
MS14-032
Title:
Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)
Update Type:
Security Update
Severity:
Important
Date:
2014-06-10
Description:
This security update resolves a privately reported vulnerability in Microsoft Lync Server. The vulnerability could allow information disclosure if a user tries to join a Lync meeting by clicking a specially crafted meeting URL.
Vulnerabilities:
CVE-2014-1823
Included Updates:
2963286
2963288
2969258
Applies to:
Microsoft Lync Server 2010
Microsoft Lync Server 2013

Bulletin ID:
MS14-028
Title:
Vulnerabilities in iSCSI Could Allow Denial of Service (2962485)
Update Type:
Security Update
Severity:
Important
Date:
2014-05-13
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network. This vulnerability only affects servers for which the iSCSI target role has been enabled.
Vulnerabilities:
CVE-2014-0255
CVE-2014-0256
Included Updates:
2933826
2962073
2962485
Applies to:
Windows Server 2012
Windows Server 2012 R2
iSCSI Software Target 3.3

Bulletin ID:
MS14-027
Title:
Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)
Update Type:
Security Update
Severity:
Important
Date:
2014-05-13
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2014-1807
Included Updates:
2926765
2962123
2962488
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Bulletin ID:
MS14-026
Title:
Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)
Update Type:
Security Update
Severity:
Important
Date:
2014-05-13
Description:
This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. .NET Remoting is not widely used by applications; only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability.
Vulnerabilities:
CVE-2014-1806
Included Updates:
2931352
2931354
2931356
2931357
2931358
2931365
2931366
2931367
2931368
2932079
2958732
Applies to:
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1

Bulletin ID:
MS14-025
Title:
Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)
Update Type:
Security Update
Severity:
Important
Date:
2014-05-13
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.
Vulnerabilities:
CVE-2014-1812
Included Updates:
2928120
2961899
2962486
Applies to:
Remote Server Administration Tools
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2012
Windows Server 2012 R2

Bulletin ID:
MS14-024
Title:
Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)
Update Type:
Security Update
Severity:
Important
Date:
2014-05-13
Description:
This security update resolves one privately reported vulnerability in an implementation of the MSCOMCTL common controls library. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.
Vulnerabilities:
CVE-2014-1809
Included Updates:
2589288
2596804
2760272
2810073
2817330
2880502
2880507
2880508
2880971
2961033
Applies to:
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 1 (32-bit editions)
Microsoft Office 2010 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 (32-bit editions)
Microsoft Office 2013 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)

Bulletin ID:
MS14-023
Title:
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)
Update Type:
Security Update
Severity:
Important
Date:
2014-05-13
Description:
This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-1756
CVE-2014-1808
Included Updates:
2767772
2878284
2878316
2880463
2961037
Applies to:
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 1 (32-bit editions)
Microsoft Office 2010 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 (32-bit editions)
Microsoft Office 2013 (64-bit editions)
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)

Bulletin ID:
MS14-022
Title:
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
Update Type:
Security Update
Severity:
Critical
Date:
2014-05-13
Description:
This security update resolves multiple privately reported vulnerabilities in Microsoft Office server and productivity software. The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
Vulnerabilities:
CVE-2014-0251
CVE-2014-1754
CVE-2014-1813
Included Updates:
2596763
2596810
2596861
2596902
2752096
2760236
2810069
2837588
2837598
2837616
2863829
2863836
2863854
2863856
2863863
2863922
2880453
2880536
2952166
Applies to:
Microsoft SharePoint Foundation 2010 Service Pack 1
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2010 Service Pack 1
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft Windows SharePoint Services 3.0 Service Pack 3 (32-bit versions)
Microsoft Windows SharePoint Services 3.0 Service Pack 3 (64-bit versions)
SharePoint Server 2007 Service Pack 3 (32-bit editions)
SharePoint Server 2007 Service Pack 3 (64-bit editions)

Bulletin ID:
MS14-020
Title:
Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)
Update Type:
Security Update
Severity:
Important
Date:
2014-04-08
Description:
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-1759
Included Updates:
2817565
2878299
2950145
Applies to:
Components
Microsoft Office Suites

Bulletin ID:
MS14-019
Title:
Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
Update Type:
Security Update
Severity:
Important
Date:
2014-04-08
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location. An attacker would have no way to force users to visit the network location or run the specially crafted files. Instead, an attacker would have to convince users to take such action. For example, an attacker could trick users into clicking a link that takes them to the location of the attacker's specially crafted files and subsequently convince them to run them.
Vulnerabilities:
CVE-2014-0315
Included Updates:
2922229
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS14-017
Title:
Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
Update Type:
Security Update
Severity:
Critical
Date:
2014-04-08
Description:
This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Office. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened or previewed in an affected version of Microsoft Office software. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities:
CVE-2014-1757
CVE-2014-1758
CVE-2014-1761
Included Updates:
2863907
2863910
2863919
2863926
2878219
2878220
2878221
2878236
2878237
2878303
2878304
2949660
Applies to:
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office 2010
Microsoft Office 2013
Microsoft Office 2013 RT
Microsoft Office for Mac
Other Office Software

Bulletin ID:
MS14-016
Title:
Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)
Update Type:
Security Update
Severity:
Important
Date:
2014-03-11
Description:
This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.
Vulnerabilities:
CVE-2014-0317
Included Updates:
2923392
2933528
2934418
Applies to:
Server Core installation option
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS14-015
Title:
Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275)
Update Type:
Security Update
Severity:
Important
Date:
2014-03-11
Description:
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
Vulnerabilities:
CVE-2014-0300
CVE-2014-0323
Included Updates:
2930275
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS14-014
Title:
Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)
Update Type:
Security Update
Severity:
Important
Date:
2014-03-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow security feature bypass if an attacker hosts a website that contains specially crafted Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the website. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.
Vulnerabilities:
CVE-2014-0319
Included Updates:
2932677
Applies to:
Microsoft Silverlight 5

Bulletin ID:
MS14-013
Title:
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)
Update Type:
Security Update
Severity:
Critical
Date:
2014-03-11
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted image file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-0301
Included Updates:
2929961
Applies to:
Windows 7
Windows 8
Windows 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS14-009
Title:
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607)
Update Type:
Security Update
Severity:
Important
Date:
2014-02-28
Description:
This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website.
Vulnerabilities:
CVE-2014-0253
CVE-2014-0257
CVE-2014-0295
Included Updates:
2898855
2898856
2898857
2898858
2898860
2898864
2898865
2898866
2898868
2898869
2898870
2898871
2901110
2901111
2901112
2901113
2901115
2901118
2901119
2901120
2901125
2901126
2901127
2901128
2904878
2911501
2911502
2916607
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS14-007
Title:
Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)
Update Type:
Security Update
Severity:
Critical
Date:
2014-02-28
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker's website, or by getting them to open an attachment sent through email.
Vulnerabilities:
CVE-2014-0263
Included Updates:
2912390
Applies to:
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2

Bulletin ID:
MS14-005
Title:
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)
Update Type:
Security Update
Severity:
Important
Date:
2014-02-28
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker's website, or by getting them to open an attachment sent through email.
Vulnerabilities:
CVE-2014-0266
Included Updates:
2916036
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS13-098
Title:
Vulnerability in Windows Could Allow Remote Code Execution (2893294)
Update Type:
Security Update
Severity:
Critical
Date:
2014-02-28
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
Vulnerabilities:
CVE-2013-3900
Included Updates:
2893294
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS13-095
Title:
Vulnerability in Digital Signatures Could Allow Denial of Service (2868626)
Update Type:
Security Update
Severity:
Important
Date:
2014-02-28
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate.
Vulnerabilities:
CVE-2013-3869
Included Updates:
2868626
Applies to:
Server Core installation option
Windows 7
Windows 8
Windows 8.1
Windows RT
Windows RT 8.1
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Vista
Windows XP

Bulletin ID:
MS13-090
Title:
Cumulative Security Update of ActiveX Kill Bits (2900986)
Update Type:
Security Update
Severity:
Critical
Date:
2014-02-28
Description:
This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2013-3918
Included Updates:
2900986
Applies to:


Bulletin ID:
MS14-011
Title:
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)
Update Type:
Security Update
Severity:
Critical
Date:
2014-02-11
Description:
This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visited a specially crafted website. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Vulnerabilities:
CVE-2014-0271
Included Updates:
2909212
2909213
2928390
Applies to:
Server Core installation
VBScript 5.6
VBScript 5.7
VBScript 5.8 (Internet Explorer 10)
VBScript 5.8 (Internet Explorer 11)
VBScript 5.8 (Internet Explorer 8)
VBScript 5.8 (Internet Explorer 9)

Bulletin ID:
MS14-010
Title:
Cumulative Security Update for Internet Explorer (2909921)
Update Type:
Security Update
Severity:
Critical
Date:
2014-02-11
Description:
This security update resolves one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-0267
CVE-2014-0268
CVE-2014-0269
CVE-2014-0270
CVE-2014-0271
CVE-2014-0272
CVE-2014-0273
CVE-2014-0274
CVE-2014-0275
CVE-2014-0276
CVE-2014-0277
CVE-2014-0278
CVE-2014-0279
CVE-2014-0280
CVE-2014-0281
CVE-2014-0283
CVE-2014-0284
CVE-2014-0285
CVE-2014-0286
CVE-2014-0287
CVE-2014-0288
CVE-2014-0289
CVE-2014-0290
CVE-2014-0293
Included Updates:
2909921
Applies to:
Internet Explorer 10
Internet Explorer 11
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9

Bulletin ID:
MS14-006
Title:
Vulnerability in IPv6 Could Allow Denial of Service (2904659)
Update Type:
Security Update
Severity:
Important
Date:
2014-02-11
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a large number of specially crafted IPv6 packets to an affected system. To exploit the vulnerability, an attacker's system must belong to the same subnet as the target system.
Vulnerabilities:
CVE-2014-0254
Included Updates:
2904659
Applies to:
Server Core installation option
Windows 8
Windows RT
Windows Server 2012

Bulletin ID:
MS14-003
Title:
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)
Update Type:
Security Update
Severity:
Important
Date:
2014-01-14
Description:
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a user logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2014-0262
Included Updates:
2913602
Applies to:
Server Core installation option
Windows 7
Windows Server 2008 R2

Bulletin ID:
MS14-002
Title:
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)
Update Type:
Security Update
Severity:
Important
Date:
2014-01-14
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Vulnerabilities:
CVE-2013-5065
Included Updates:
2914368
Applies to:
Windows Server 2003
Windows XP

Bulletin ID:
MS14-001
Title:
Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)
Update Type:
Security Update
Severity:
Important
Date:
2014-01-14
Description:
This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities:
CVE-2014-0258
CVE-2014-0259
CVE-2014-0260
Included Updates:
2827224
2837577
2837596
2837615
2837617
2837625
2863834
2863866
2863867
2863879
2863901
2863902
2916605
Applies to:
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office 2010
Microsoft Office 2013
Microsoft Office 2013 RT
Other Office Software

Bulletin ID:
MS13-081
Title:
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
Update Type:
Security Update
Severity:
Critical
Date:
2014-01-14
Description:
This security update resolves seven privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user views shared content that embeds OpenType or TrueType font files. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.
Vulnerabilities:
CVE-2013-3128
CVE-2013-3200
CVE-2013-3879
CVE-2013-3880
CVE-2013-3881
CVE-2013-3888
CVE-2013-3894
Included Updates:
2847311
2855844
2862330
2862335
2863725
2864202
2868038
2870008
2876284
2883150
2884256
Applies to:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for 64-bit Systems
Windows RT
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows XP Professional x64 Edition Service Pack 2
Windows XP Service Pack 3

Bulletin ID:
MS12-066
Title:
Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)
Update Type:
Security Update
Severity:
Important
Date:
2014-01-14
Description:
This security update resolves a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.
Vulnerabilities:
CVE-2012-2520
Included Updates:
2589280
2687402
2687405
2687417
2687434
2687435
2687436
2687439
2687440
2687442
2726382
2726388
2726391
2741517
Applies to:


Bulletin ID:
MS12-050
Title:
Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)
Update Type:
Security Update
Severity:
Important
Date:
2014-01-14
Description:
This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site.
Vulnerabilities:
CVE-2012-1858
CVE-2012-1859
CVE-2012-1860
CVE-2012-1861
CVE-2012-1862
CVE-2012-1863
Included Updates:
2553194
2553322
2553365
2553424
2553431
2589325
2596663
2596666
2596786
2596911
2596942
2598239
2695502
Applies to:
Office 2007
Office 2010
Windows Server 2003
Windows Server 2003, Datacenter Edition
Windows Server 2008
Windows Server 2008 R2