Bulletin ID: MS14-075 |
Title: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) |
Update Type: Security Update |
Severity: Important |
Date: 2014-12-16 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL. | ||||
Vulnerabilities: CVE-2014-6319 CVE-2014-6325 CVE-2014-6326 CVE-2014-6336 |
Included Updates: 2986475 2996150 3009712 3011140 |
Applies to: Microsoft Exchange Server 2007 Service Pack 3 Microsoft Exchange Server 2010 Service Pack 3 Microsoft Exchange Server 2013 Cumulative Update 6 Microsoft Exchange Server 2013 Service Pack 1 |
Bulletin ID: MS14-085 |
Title: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) |
Update Type: Security Update |
Severity: Important |
Date: 2014-12-09 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user browses to a website containing specially crafted JPEG content. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system. The information disclosure vulnerability by itself does not allow arbitrary code execution. However, an attacker could use this information disclosure vulnerability in conjunction with another vulnerability to bypass security features such as Address Space Layout Randomization (ASLR). | ||||
Vulnerabilities: CVE-2013-6355 CVE-2014-6355 |
Included Updates: 3013126 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-083 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) |
Update Type: Security Update |
Severity: Important |
Date: 2014-12-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Excel file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-6360 CVE-2014-6361 |
Included Updates: 2910902 2910929 2920790 2984942 3017347 |
Applies to: Microsoft Excel 2007 Service Pack 3 Microsoft Excel 2010 Service Pack 2 (32-bit editions) Microsoft Excel 2010 Service Pack 2 (64-bit editions) Microsoft Excel 2013 (32-bit editions) Microsoft Excel 2013 (64-bit editions) Microsoft Excel 2013 Service Pack 1 (32-bit editions) Microsoft Excel 2013 Service Pack 1 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 |
Bulletin ID: MS14-082 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) |
Update Type: Security Update |
Severity: Important |
Date: 2014-12-09 |
Description: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-6364 |
Included Updates: 2553154 2596927 2726958 3017349 |
Applies to: Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 (32-bit editions) Microsoft Office 2013 (64-bit editions) Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) |
Bulletin ID: MS14-081 |
Title: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-12-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-6356 CVE-2014-6357 |
Included Updates: 2883050 2889851 2899518 2899519 2899581 2910892 2910916 2920729 2920792 2920793 3017301 |
Applies to: Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office for Mac 2011 Microsoft Word 2007 Service Pack 3 Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 (32-bit editions) Microsoft Word 2013 (64-bit editions) Microsoft Word 2013 Service Pack 1 (32-bit editions) Microsoft Word 2013 Service Pack 1 (64-bit editions) Microsoft Word Viewer |
Bulletin ID: MS14-066 |
Title: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-12-09 |
Description: This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. | ||||
Vulnerabilities: CVE-2014-6321 |
Included Updates: 2992611 |
Applies to: SA2868725 SA2871997 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-065 |
Title: Cumulative Security Update for Internet Explorer (3003057) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-12-09 |
Description: This security update resolves seventeen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-6323 CVE-2014-6339 |
Included Updates: 3003057 |
Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
Bulletin ID: MS14-068 |
Title: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-11-18 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2014-6324 |
Included Updates: 3011780 |
Applies to: SA2871997 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-079 |
Title: Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885) |
Update Type: Security Update |
Severity: Moderate |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2014-6317 |
Included Updates: 3002885 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-078 |
Title: Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719) |
Update Type: Security Update |
Severity: Moderate |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Input Method Editor (IME) (Japanese). The vulnerability could allow sandbox escape based on the application sandbox policy on a system where an affected version of the Microsoft IME (Japanese) is installed. An attacker who successfully exploited this vulnerability could escape the sandbox of a vulnerable application and gain access to the affected system with logged-in user rights. If the affected system is logged in with administrative rights, an attacker could then install programs; view, change or delete data; or create new accounts with full administrative rights. | ||||
Vulnerabilities: CVE-2014-4077 |
Included Updates: 2889913 2991963 2992719 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-077 |
Title: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application, and an attacker reopens the application in the browser immediately after the user has logged off. | ||||
Vulnerabilities: CVE-2014-6331 |
Included Updates: 3003381 |
Applies to: Active Directory Federation Services 2.0 Active Directory Federation Services 2.1 Active Directory Federation Services 3.0 |
Bulletin ID: MS14-076 |
Title: Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Internet Information Services (IIS) that could lead to a bypass of the "IP and domain restrictions" security feature. Successful exploitation of this vulnerability could result in clients from restricted or blocked domains having access to restricted web resources. | ||||
Vulnerabilities: CVE-2014-4078 |
Included Updates: 2982998 |
Applies to: Microsoft Internet Information Services 8.0 Microsoft Internet Information Services 8.5 |
Bulletin ID: MS14-074 |
Title: Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass when Remote Desktop Protocol (RDP) fails to properly log audit events. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. | ||||
Vulnerabilities: CVE-2014-6318 |
Included Updates: 3003743 |
Applies to: SA2871997 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-073 |
Title: Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email. | ||||
Vulnerabilities: CVE-2014-4116 |
Included Updates: 2889838 3000431 |
Applies to: Microsoft SharePoint Foundation 2010 Service Pack 2 |
Bulletin ID: MS14-072 |
Title: Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. Only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability. | ||||
Vulnerabilities: CVE-2014-4149 |
Included Updates: 2978114 2978116 2978120 2978121 2978122 2978124 2978125 2978126 2978127 2978128 3005210 |
Applies to: Microsoft .NET Framework 1.1 Service Pack 1 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4 Microsoft .NET Framework 4.5.1/4.5.2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 |
Bulletin ID: MS14-071 |
Title: Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an application uses the Microsoft Windows Audio service. The vulnerability by itself does not allow arbitrary code to be run. The vulnerability would have to be used in conjunction with another vulnerability that allowed remote code execution. | ||||
Vulnerabilities: CVE-2014-6322 |
Included Updates: 3005607 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-070 |
Title: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a publically reported vulnerability in TCP/IP that occurs during input/output control (IOCTL) processing. This vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. If this process runs with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2014-4076 |
Included Updates: 2989935 |
Applies to: Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 |
Bulletin ID: MS14-069 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected edition of Microsoft Office 2007. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-6333 CVE-2014-6334 CVE-2014-6335 |
Included Updates: 2899526 2899527 2899553 3009710 |
Applies to: Microsoft Office Compatibility Pack Service Pack 3 Microsoft Word 2007 Service Pack 3 Microsoft Word Viewer |
Bulletin ID: MS14-067 |
Title: Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-11-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a logged-on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website. | ||||
Vulnerabilities: CVE-2014-4118 |
Included Updates: 2993958 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-064 |
Title: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-11-11 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-6332 CVE-2014-6352 |
Included Updates: 3006226 3010788 3011443 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-049 |
Title: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (2962490) |
Update Type: Security Update |
Severity: Important |
Date: 2014-11-11 |
Description: This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-4784 CVE-2014-1814 |
Included Updates: 2918614 2962490 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-063 |
Title: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579) |
Update Type: Security Update |
Severity: Important |
Date: 2014-10-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. An elevation of privilege vulnerability exists in the way the Windows FASTFAT system driver interacts with FAT32 disk partitions. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges. | ||||
Vulnerabilities: CVE-2014-4115 |
Included Updates: 2998579 |
Applies to: Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-062 |
Title: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) |
Update Type: Security Update |
Severity: Important |
Date: 2014-10-14 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker sends a specially crafted input/output control (IOCTL) request to the Message Queuing service. Successful exploitation of this vulnerability could lead to full access to the affected system. By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled by a user with administrative privileges. Only customers who manually enable the Message Queuing component are likely to be vulnerable to this issue. | ||||
Vulnerabilities: CVE-2014-4971 |
Included Updates: 2993254 |
Applies to: Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 |
Bulletin ID: MS14-061 |
Title: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434) |
Update Type: Security Update |
Severity: Important |
Date: 2014-10-14 |
Description: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if an attacker convinces a user to open a specially crafted Microsoft Word file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-4117 |
Included Updates: 2883008 2883013 2883031 2883032 2883098 2889827 3000434 |
Applies to: Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office for Mac 2011 Microsoft Word 2007 Service Pack 3 Microsoft Word 2010 Service Pack 1 (32-bit editions) Microsoft Word 2010 Service Pack 1 (64-bit editions) Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) |
Bulletin ID: MS14-060 |
Title: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) |
Update Type: Security Update |
Severity: Important |
Date: 2014-10-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-4114 |
Included Updates: 3000869 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-059 |
Title: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942) |
Update Type: Security Update |
Severity: Important |
Date: 2014-10-14 |
Description: This security update resolves a publicly disclosed vulnerability in ASP.NET MVC. The vulnerability could allow security feature bypass if an attacker convinces a user to click a specially crafted link or to visit a webpage that contains specially crafted content designed to exploit the vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a web browser, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email. | ||||
Vulnerabilities: CVE-2014-4075 |
Included Updates: 2990942 2992080 2993928 2993937 2993939 2994397 |
Applies to: ASP.NET MVC 2.0 ASP.NET MVC 3.0 ASP.NET MVC 4.0 ASP.NET MVC 5.0 ASP.NET MVC 5.1 |
Bulletin ID: MS14-058 |
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-10-14 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an email message or Instant Messenger message. | ||||
Vulnerabilities: CVE-2014-4113 CVE-2014-4148 |
Included Updates: 3000061 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-057 |
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-10-14 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request containing international characters to a .NET web application. In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an application has to explicitly enable this functionality. In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled. | ||||
Vulnerabilities: CVE-2014-4073 CVE-2014-4121 CVE-2014-4122 |
Included Updates: 2968292 2968294 2968295 2968296 2972098 2972100 2972101 2972103 2972105 2972106 2972107 2978041 2978042 2979568 2979570 2979571 2979573 2979574 2979575 2979576 2979577 2979578 3000414 |
Applies to: Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4 Microsoft .NET Framework 4.5.1/4.5.2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 |
Bulletin ID: MS14-056 |
Title: Cumulative Security Update for Internet Explorer (2987107) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-10-14 |
Description: This security update resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-4123 CVE-2014-4124 CVE-2014-4126 CVE-2014-4127 CVE-2014-4128 CVE-2014-4129 CVE-2014-4130 CVE-2014-4132 CVE-2014-4133 CVE-2014-4134 CVE-2014-4137 CVE-2014-4138 CVE-2014-4140 CVE-2014-4141 |
Included Updates: 2987107 |
Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
Bulletin ID: MS14-042 |
Title: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) |
Update Type: Security Update |
Severity: Moderate |
Date: 2014-10-14 |
Description: This security update resolves one publicly disclosed vulnerability in Microsoft Service Bus for Windows Server. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system. Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system. For an affected system to be vulnerable Microsoft Service Bus must first be downloaded, installed, and configured, and then its configuration details (farm certificate) shared with other users. | ||||
Vulnerabilities: CVE-2014-2814 |
Included Updates: 2972621 |
Applies to: Microsoft Service Bus 1.1 |
Bulletin ID: MS14-046 |
Title: Vulnerability in .NET Framework Could Allow Security Feature Bypass (2984625) |
Update Type: Security Update |
Severity: Important |
Date: 2014-10-07 |
Description: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow security feature bypass if a user visits a specially crafted website. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that could take advantage of the ASLR bypass to run arbitrary code. | ||||
Vulnerabilities: CVE-2014-4062 |
Included Updates: 2937608 2937610 2943344 2943357 2966825 2966826 2966827 2966828 2984625 |
Applies to: Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 |
Bulletin ID: MS14-055 |
Title: Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-23 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Lync Server. The most severe of these vulnerabilities could allow denial of service if an attacker sends a specially crafted request to a Lync server. | ||||
Vulnerabilities: CVE-2014-4068 CVE-2014-4070 CVE-2014-4071 |
Included Updates: 2982385 2982388 2982389 2982390 2986072 2990928 2992965 |
Applies to: Microsoft Lync Server 2010 Microsoft Lync Server 2013 |
Bulletin ID: MS14-054 |
Title: Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2014-4074 |
Included Updates: 2988948 |
Applies to: Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 |
Bulletin ID: MS14-053 |
Title: Vulnerability in .NET Framework Could Allow Denial of Service (2990931) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website. By default, ASP.NET is not installed when Microsoft .NET Framework is installed on any supported edition of Microsoft Windows. To be affected by the vulnerability, customers must manually install and enable ASP.NET by registering it with IIS. | ||||
Vulnerabilities: CVE-2014-4072 |
Included Updates: 2972207 2972211 2972212 2972213 2972214 2972215 2972216 2973112 2973113 2973114 2973115 2974268 2974269 2977765 2977766 2990931 |
Applies to: Microsoft .NET Framework 1.1 Service Pack 1 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4 Microsoft .NET Framework 4.5.1/4.5.2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 |
Bulletin ID: MS14-052 |
Title: Cumulative Security Update for Internet Explorer (2977629) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed and thirty-six privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2013-7331 CVE-2014-2799 CVE-2014-4059 CVE-2014-4065 CVE-2014-4079 CVE-2014-4080 CVE-2014-4081 CVE-2014-4082 CVE-2014-4083 CVE-2014-4084 CVE-2014-4085 CVE-2014-4086 CVE-2014-4087 CVE-2014-4088 CVE-2014-4089 CVE-2014-4090 CVE-2014-4091 CVE-2014-4092 CVE-2014-4093 CVE-2014-4094 CVE-2014-4095 CVE-2014-4096 CVE-2014-4097 CVE-2014-4098 CVE-2014-4099 CVE-2014-4100 CVE-2014-4101 CVE-2014-4102 CVE-2014-4103 CVE-2014-4104 CVE-2014-4105 CVE-2014-4106 CVE-2014-4107 CVE-2014-4108 CVE-2014-4109 CVE-2014-4110 CVE-2014-4111 |
Included Updates: 2977629 |
Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
Bulletin ID: MS13-017 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves three privately reported vulnerabilities in all supported releases of Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities. | ||||
Vulnerabilities: CVE-2013-1278 CVE-2013-1279 CVE-2013-1280 |
Included Updates: 2799494 |
Applies to: Server Core installation option Windows 2008 R2 Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS13-016 |
Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778344) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves 30 privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities. | ||||
Vulnerabilities: |
Included Updates: 2778344 |
Applies to: Server Core installation option Windows 2008 R2 Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS13-005 |
Title: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application. | ||||
Vulnerabilities: CVE-2013-0008 |
Included Updates: 2778930 |
Applies to: Server Core Installation Option Windows 7 Windows 8 Windows RT Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
Bulletin ID: MS12-078 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType or OpenType font files. An attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2012-2556 CVE-2012-4786 |
Included Updates: 2753842 2779030 2783534 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS12-075 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2012-2530 CVE-2012-2553 CVE-2012-2897 |
Included Updates: 2761226 |
Applies to: Server Core installation option |
Bulletin ID: MS12-068 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in all supported releases of Microsoft Windows except Windows 8 and Windows Server 2012. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2012-2529 |
Included Updates: 2724197 |
Applies to: Server Core installation option Windows 7 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP |
Bulletin ID: MS12-055 |
Title: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-2527 |
Included Updates: 2731847 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-047 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-1890 CVE-2012-1893 |
Included Updates: 2718523 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-043 |
Title: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website. | ||||
Vulnerabilities: CVE-2012-1889 |
Included Updates: 2596856 2687627 2719985 2721691 2721693 2722479 |
Applies to: Office 2003 Office 2007 Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-042 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2012-0217 CVE-2012-1515 |
Included Updates: 2707511 2709715 2711167 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 R2 Windows XP |
Bulletin ID: MS12-041 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. | ||||
Vulnerabilities: CVE-2012-1864 CVE-2012-1865 CVE-2012-1866 CVE-2012-1867 CVE-2012-1868 |
Included Updates: 2709162 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-032 |
Title: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. | ||||
Vulnerabilities: CVE-2012-0174 CVE-2012-0179 |
Included Updates: 2688338 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS12-019 |
Title: Vulnerability in DirectWrite Could Allow Denial of Service (2665364) |
Update Type: Security Update |
Severity: Moderate |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in Windows DirectWrite. In an Instant Messenger-based attack scenario, the vulnerability could allow denial of service if an attacker sends a specially crafted sequence of Unicode characters directly to an Instant Messenger client. The target application could become unresponsive when DirectWrite renders the specially crafted sequence of Unicode characters. | ||||
Vulnerabilities: CVE-2012-0156 |
Included Updates: 2665364 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS12-018 |
Title: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-0157 |
Included Updates: 2641653 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-008 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2011-5046 CVE-2012-0154 |
Included Updates: 2660465 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-097 |
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2011-3408 |
Included Updates: 2620712 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-087 |
Title: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files. | ||||
Vulnerabilities: CVE-2011-3402 |
Included Updates: 2639417 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-084 |
Title: Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) |
Update Type: Security Update |
Severity: Moderate |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message. | ||||
Vulnerabilities: CVE-2011-2004 |
Included Updates: 2617657 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 R2 |
Bulletin ID: MS11-083 |
Title: Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. | ||||
Vulnerabilities: CVE-2011-2013 |
Included Updates: 2588516 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS11-077 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment. For a remote attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the specially crafted font file, or open the file as an e-mail attachment. | ||||
Vulnerabilities: CVE-2011-1985 CVE-2011-2002 CVE-2011-2003 CVE-2011-2011 |
Included Updates: 2567053 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-068 |
Title: Vulnerability in Windows Kernel Could Allow Denial of Service (2556532) |
Update Type: Security Update |
Severity: Moderate |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user visits a network share (or visits a Web site that points to a network share) containing a specially crafted file. In all cases, however, an attacker would have no way to force a user to visit such a network share or Web site. Instead, an attacker would have to convince a user to do so, typically by getting the user to click a link in an e-mail message or Instant Messenger message. | ||||
Vulnerabilities: CVE-2011-1971 |
Included Updates: 2556532 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS11-064 |
Title: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends a sequence of specially crafted Internet Control Message Protocol (ICMP) messages to a target system or sends a specially crafted URL request to a server that is serving Web content and has the URL-based Quality of Service (QoS) feature enabled. | ||||
Vulnerabilities: CVE-2011-1871 CVE-2011-1965 |
Included Updates: 2563894 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS11-063 |
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to send a device event message to a higher-integrity process. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2011-1967 |
Included Updates: 2567680 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-056 |
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves five privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS). The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities. | ||||
Vulnerabilities: CVE-2011-1281 CVE-2011-1282 CVE-2011-1283 CVE-2011-1284 CVE-2011-1870 |
Included Updates: 2507938 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-054 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves 15 privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2011-1874 CVE-2011-1875 CVE-2011-1876 CVE-2011-1877 CVE-2011-1878 CVE-2011-1879 CVE-2011-1880 CVE-2011-1881 CVE-2011-1882 CVE-2011-1883 CVE-2011-1884 CVE-2011-1885 CVE-2011-1886 CVE-2011-1887 CVE-2011-1888 |
Included Updates: 2555917 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-046 |
Title: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability. | ||||
Vulnerabilities: CVE-2011-1249 |
Included Updates: 2503665 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-041 |
Title: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a network share (or visits a web site that points to a network share) containing a specially crafted OpenType font (OTF). In all cases, however, an attacker would have no way to force a user to visit such a web site or network share. Instead, an attacker would have to convince a user to visit the web site or network share, typically by getting them to click a link in an e-mail message or Instant Messenger message. | ||||
Vulnerabilities: CVE-2011-1873 |
Included Updates: 2525694 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP x64 Edition |
Bulletin ID: MS11-038 |
Title: Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user visits a Web site containing a specially crafted Windows Metafile (WMF) image. In all cases, however, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to convince users to visit a malicious Web site, typically by getting them to click a link in an e-mail message or Instant Messenger request. | ||||
Vulnerabilities: CVE-2011-0658 |
Included Updates: 2476490 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-034 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves thirty privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: |
Included Updates: 2506223 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-032 |
Title: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in the OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. | ||||
Vulnerabilities: CVE-2011-0034 |
Included Updates: 2507618 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-031 |
Title: Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow remote code execution if a user visited a specially crafted Web site. An attacker would have no way to force users to visit the Web site. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. | ||||
Vulnerabilities: CVE-2011-0663 |
Included Updates: 2510531 2510581 2510587 2514666 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-027 |
Title: Cumulative Security Update of ActiveX Kill Bits (2508272) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for three third-party ActiveX controls. | ||||
Vulnerabilities: CVE-2010-0811 CVE-2010-3973 CVE-2011-1243 |
Included Updates: 2508272 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-026 |
Title: Vulnerability in MHTML Could Allow Information Disclosure (2503658) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. In a Web-based attack scenario, a Web site could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open the specially crafted link. | ||||
Vulnerabilities: CVE-2011-0096 |
Included Updates: 2503658 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-020 |
Title: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2011-0661 |
Included Updates: 2508429 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-013 |
Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if a local, authenticated attacker installs a malicious service on a domain-joined computer. | ||||
Vulnerabilities: CVE-2011-0043 CVE-2011-0091 |
Included Updates: 2425227 2478971 2496930 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 R2 Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-012 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2011-0086 CVE-2011-0087 CVE-2011-0088 CVE-2011-0089 CVE-2011-0090 |
Included Updates: 2479628 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-009 |
Title: Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. | ||||
Vulnerabilities: CVE-2011-0031 |
Included Updates: 2475792 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 R2 |
Bulletin ID: MS11-007 |
Title: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. | ||||
Vulnerabilities: CVE-2011-0033 |
Included Updates: 2485376 |
Applies to: Windows 7 Windows 7 Language Packs Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-098 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-3939 CVE-2010-3940 CVE-2010-3941 CVE-2010-3942 CVE-2010-3943 CVE-2010-3944 |
Included Updates: 2436673 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-095 |
Title: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file type such as .eml and .rss (Windows Live Mail) or .wpost (Microsoft Live Writer) located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2010-3966 |
Included Updates: 2385678 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 R2 |
Bulletin ID: MS10-091 |
Title: Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves several privately reported vulnerabilities in the Windows Open Type Font (OTF) driver that could allow remote code execution. An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2010-3956 CVE-2010-3957 CVE-2010-3959 |
Included Updates: 2296199 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-085 |
Title: Vulnerability in SChannel Could Allow Denial of Service (2207566) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The vulnerability could allow denial of service if an affected system received a specially crafted packet message via Secure Sockets Layer (SSL). By default, all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not configured to receive SSL network traffic. | ||||
Vulnerabilities: CVE-2010-3229 |
Included Updates: 2207566 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS10-073 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves several publicly disclosed vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-2549 CVE-2010-2743 CVE-2010-2744 |
Included Updates: 981957 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-058 |
Title: Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege due to an error in the processing of a specific input buffer. An attacker who is able to log on to the target system could exploit this vulnerability and run arbitrary code with system-level privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2010-1892 CVE-2010-1893 |
Included Updates: 978886 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS10-054 |
Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2010-2550 CVE-2010-2551 CVE-2010-2552 |
Included Updates: 982214 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-051 |
Title: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. | ||||
Vulnerabilities: CVE-2010-2561 |
Included Updates: 2079403 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-049 |
Title: Vulnerabilities in SChannel could allow Remote Code Execution (980436) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. | ||||
Vulnerabilities: CVE-2009-3555 CVE-2010-2566 |
Included Updates: 980436 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-048 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed and four privately reported vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-1887 CVE-2010-1894 CVE-2010-1895 CVE-2010-1896 CVE-2010-1897 |
Included Updates: 2160329 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-047 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-1888 CVE-2010-1889 CVE-2010-1890 |
Included Updates: 981852 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP |
Bulletin ID: MS10-046 |
Title: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2568 |
Included Updates: 2286198 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-037 |
Title: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow elevation of privilege if a user views content rendered in a specially crafted CFF font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-0819 |
Included Updates: 980218 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-034 |
Title: Cumulative Security Update of ActiveX Kill Bits (980195) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update addresses two privately reported vulnerabilities for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, and Windows 7, and Moderate for all supported editions of Windows Server 2003, Windows Server2008, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-0252 CVE-2010-0811 |
Included Updates: 980195 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-032 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in the Windows kernel-mode drivers. The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted TrueType font. | ||||
Vulnerabilities: CVE-2010-0484 CVE-2010-0485 CVE-2010-1255 |
Included Updates: 979559 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-022 |
Title: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves a publicly disclosed vulnerability in VBScript on Microsoft Windows that could allow remote code execution. This security update is rated Important for Microsoft Windows 2000, Windows XP, and Windows Server 2003. On Windows Server 2008, Windows Vista, Windows 7, and Windows Server 2008 R2, the vulnerable code is not exploitable, however, as the code is present, this update is provided as a defense-in-depth measure and has no severity rating. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
Vulnerabilities: CVE-2010-0483 |
Included Updates: 981169 981332 981349 981350 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-021 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2010-0234 CVE-2010-0235 CVE-2010-0236 CVE-2010-0237 CVE-2010-0238 CVE-2010-0481 CVE-2010-0482 CVE-2010-0810 |
Included Updates: 979683 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-020 |
Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. | ||||
Vulnerabilities: CVE-2009-3676 CVE-2010-0269 CVE-2010-0270 CVE-2010-0476 CVE-2010-0477 |
Included Updates: 980232 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-019 |
Title: Vulnerabilities in Windows Could Allow Remote Code Execution (981210) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves two privately reported vulnerabilities in Windows Authenticode Verification that could allow remote code execution. An attacker who successfully exploited either vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. | ||||
Vulnerabilities: CVE-2010-0486 CVE-2010-0487 |
Included Updates: 978601 979309 981210 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-012 |
Title: Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-09 |
Description: This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2010-0020 CVE-2010-0021 CVE-2010-0022 CVE-2010-0231 |
Included Updates: 971468 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-006 |
Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-09 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server. | ||||
Vulnerabilities: CVE-2010-0016 CVE-2010-0017 |
Included Updates: 978251 |
Applies to: Windows 2000 Windows 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS13-036 |
Title: Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the most severe vulnerabilities. | ||||
Vulnerabilities: CVE-2013-1283 CVE-2013-1291 CVE-2013-1292 CVE-2013-1293 |
Included Updates: 2808735 2829996 2840149 |
Applies to: Server Core Installation Option Windows 2008 R2 Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS13-031 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2013-1284 CVE-2013-1294 |
Included Updates: 2813170 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS13-029 |
Title: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2013-1296 |
Included Updates: 2813345 2813347 2828223 |
Applies to: Windows 7 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP |
Bulletin ID: MS13-027 |
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow elevation of privilege if an attacker gains access to a system. | ||||
Vulnerabilities: CVE-2013-1285 CVE-2013-1286 CVE-2013-1287 |
Included Updates: 2807986 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS13-019 |
Title: Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2013-0076 |
Included Updates: 2790113 |
Applies to: Server Core installation option Windows 7 Windows Server 2008 R2 |
Bulletin ID: MS13-018 |
Title: Vulnerability in TCP/IP Could Allow Denial of Service (2790655) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an unauthenticated attacker sends a specially crafted connection termination packet to the server. | ||||
Vulnerabilities: CVE-2013-0075 |
Included Updates: 2790655 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
Bulletin ID: MS13-006 |
Title: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in the implementation of SSL and TLS in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker intercepts encrypted web traffic handshakes. | ||||
Vulnerabilities: CVE-2013-0013 |
Included Updates: 2785220 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
Bulletin ID: MS13-002 |
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft XML Core Services. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website. | ||||
Vulnerabilities: CVE-2013-0006 CVE-2013-0007 |
Included Updates: 2687497 2687499 2756145 2757638 2758694 2758696 2760574 |
Applies to: Windows 7 for 32-bit Systems Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for 64-bit Systems Windows RT Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for x64-based Systems (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows XP Professional x64 Edition Service Pack 2 Windows XP Service Pack 3 |
Bulletin ID: MS13-001 |
Title: Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution (2769369) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a print server received a specially crafted print job. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2013-0011 |
Included Updates: 2769369 |
Applies to: Server Core installation option Windows 7 Windows Server 2008 R2 |
Bulletin ID: MS12-082 |
Title: Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to view a specially crafted Office document with embedded content. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-1537 |
Included Updates: 2770660 |
Applies to: Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
Bulletin ID: MS12-081 |
Title: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user browses to a folder that contains a file or subfolder with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-4774 |
Included Updates: 2758857 |
Applies to: Server Core installation option Windows 7 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP |
Bulletin ID: MS12-072 |
Title: Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user browses to a specially crafted briefcase in Windows Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-1527 CVE-2012-1528 |
Included Updates: 2727528 |
Applies to: Operating System |
Bulletin ID: MS12-069 |
Title: Vulnerability in Kerberos Could Allow Denial of Service (2743555) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote attacker sends a specially crafted session request to the Kerberos server. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2012-2551 |
Included Updates: 2743555 |
Applies to: Server Core installation option Windows 7 Windows Server 2008 R2 |
Bulletin ID: MS12-056 |
Title: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines on 64-bit versions of Microsoft Windows. The vulnerability could allow remote code execution if a user visited a specially crafted website. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. | ||||
Vulnerabilities: CVE-2012-2523 |
Included Updates: 2706045 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP x64 Edition |
Bulletin ID: MS12-054 |
Title: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted response to a Windows print spooler request. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed. | ||||
Vulnerabilities: CVE-2012-1850 CVE-2012-1851 CVE-2012-1852 CVE-2012-1853 |
Included Updates: 2705219 2712808 2733594 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-049 |
Title: Vulnerability in TLS Could Allow Information Disclosure (2655992) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a publicly disclosed vulnerability in TLS. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected. | ||||
Vulnerabilities: CVE-2012-1870 |
Included Updates: 2655992 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-048 |
Title: Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file or directory with a specially crafted name. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0175 |
Included Updates: 2691442 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-045 |
Title: Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-1891 |
Included Updates: 2698365 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-036 |
Title: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. | ||||
Vulnerabilities: CVE-2012-0173 |
Included Updates: 2685939 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-034 |
Title: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2011-3402 CVE-2012-0159 CVE-2012-0162 CVE-2012-0164 CVE-2012-0165 CVE-2012-0167 CVE-2012-0176 CVE-2012-0180 CVE-2012-0181 CVE-2012-1848 |
Included Updates: 2589337 2596672 2596792 2598253 2636927 2656405 2656407 2656409 2656410 2656411 2658846 2659262 2660649 2676562 2681578 2686509 2690729 |
Applies to: Office 2003 Office 2007 Office 2010 Silverlight Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-033 |
Title: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-0178 |
Included Updates: 2690533 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS12-024 |
Title: Vulnerability in Windows Could Allow Remote Code Execution (2653956) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. | ||||
Vulnerabilities: CVE-2012-0151 |
Included Updates: 2653956 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-020 |
Title: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. | ||||
Vulnerabilities: CVE-2012-0002 CVE-2012-0152 |
Included Updates: 2621440 2667402 2671387 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-013 |
Title: Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment. An attacker who successfully exploited the vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0150 |
Included Updates: 2654428 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS12-009 |
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities. | ||||
Vulnerabilities: CVE-2012-0148 CVE-2012-0149 |
Included Updates: 2645640 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP x64 Edition |
Bulletin ID: MS12-006 |
Title: Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. | ||||
Vulnerabilities: CVE-2011-3389 |
Included Updates: 2585542 2638806 2643584 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-005 |
Title: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0013 |
Included Updates: 2584146 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-004 |
Title: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2012-0003 CVE-2012-0004 |
Included Updates: 2598479 2628259 2628642 2631813 2636391 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS12-001 |
Title: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2012-0001 |
Included Updates: 2644615 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP x64 Edition |
Bulletin ID: MS11-092 |
Title: Vulnerability in Windows Media Could Allow Remote Code Execution (2648048) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Windows Media Player and Windows Media Center. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. | ||||
Vulnerabilities: CVE-2011-3401 |
Included Updates: 2619339 2619340 2648048 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-090 |
Title: Cumulative Security Update of ActiveX Kill Bits (2618451) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft software. The vulnerability could allow remote code execution if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls. | ||||
Vulnerabilities: CVE-2011-3397 |
Included Updates: 2618451 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-085 |
Title: Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2011-2016 |
Included Updates: 2620704 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS11-076 |
Title: Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a publicly disclosed vulnerability in Windows Media Center. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Media Center could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file. | ||||
Vulnerabilities: CVE-2011-2009 |
Included Updates: 2579686 2579692 2604926 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Vista |
Bulletin ID: MS11-075 |
Title: Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in the Microsoft Active Accessibility component. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, the Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application. | ||||
Vulnerabilities: CVE-2011-1247 |
Included Updates: 2564958 2605295 2623699 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-071 |
Title: Vulnerability in Windows Components Could Allow Remote Code Execution (2570947) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2011-1991 |
Included Updates: 2570947 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-059 |
Title: Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate Excel file (such as a .xlsx file) that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2011-1975 |
Included Updates: 2560656 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 R2 |
Bulletin ID: MS11-053 |
Title: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (2566220) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in the Windows Bluetooth Stack. The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability only affects systems with Bluetooth capability. | ||||
Vulnerabilities: CVE-2011-1265 |
Included Updates: 2532531 2561109 2566220 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Vista |
Bulletin ID: MS11-048 |
Title: Vulnerability in SMB Server Could Allow Denial of Service (2536275) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2011-1267 |
Included Updates: 2536275 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 Windows Server 2008 R2 Windows Vista |
Bulletin ID: MS11-043 |
Title: Vulnerability in SMB Client Could Allow Remote Code Execution (2536276) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. | ||||
Vulnerabilities: CVE-2011-1268 |
Included Updates: 2536276 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-037 |
Title: Vulnerability in MHTML Could Allow Information Disclosure (2544893) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows. The vulnerability could allow information disclosure if a user opens a specially crafted URL from an attacker's web site. An attacker would have to convince the user to visit the web site, typically by getting them to follow a link in an e-mail message or Instant Messenger message. | ||||
Vulnerabilities: CVE-2011-1894 |
Included Updates: 2544893 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-030 |
Title: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet. | ||||
Vulnerabilities: CVE-2011-0657 |
Included Updates: 2509553 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-024 |
Title: Vulnerabilities in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opened a specially crafted fax cover page file (.cov) using the Windows Fax Cover Page Editor. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-3974 CVE-2010-4701 |
Included Updates: 2491683 2506212 2527308 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-019 |
Title: Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit the vulnerability, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. | ||||
Vulnerabilities: CVE-2011-0654 CVE-2011-0660 |
Included Updates: 2511455 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS11-015 |
Title: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-09-02 |
Description: This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. | ||||
Vulnerabilities: CVE-2011-0032 CVE-2011-0042 |
Included Updates: 2479943 2494132 2502898 2510030 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS10-081 |
Title: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2296011) |
Update Type: Security Update |
Severity: Important |
Date: 2014-09-02 |
Description: This security update resolves a privately reported vulnerability in the Windows common control library. The vulnerability could allow remote code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2010-2746 |
Included Updates: 2296011 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP Windows XP x64 Edition |
Bulletin ID: MS14-045 |
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2984615) |
Update Type: Security Update |
Severity: Important |
Date: 2014-08-27 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2014-0318 CVE-2014-1819 CVE-2014-4064 |
Included Updates: 2976897 2984615 2993651 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-051 |
Title: Cumulative Security Update for Internet Explorer (2976627) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-08-12 |
Description: This security update resolves one publicly disclosed and twenty-five privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-2774 CVE-2014-2784 CVE-2014-2796 CVE-2014-2808 CVE-2014-2810 CVE-2014-2811 CVE-2014-2817 CVE-2014-2818 CVE-2014-2819 CVE-2014-2820 CVE-2014-2821 CVE-2014-2822 CVE-2014-2823 CVE-2014-2824 CVE-2014-2825 CVE-2014-2826 CVE-2014-2827 CVE-2014-4050 CVE-2014-4051 CVE-2014-4052 CVE-2014-4055 CVE-2014-4056 CVE-2014-4057 CVE-2014-4058 CVE-2014-4063 CVE-2014-4067 CVE-2014-4145 CVE-2014-6354 |
Included Updates: 2976627 |
Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
Bulletin ID: MS14-050 |
Title: Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege (2977202) |
Update Type: Security Update |
Severity: Important |
Date: 2014-08-12 |
Description: This security update resolves one privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could use a specially crafted app to run arbitrary JavaScript in the context of the user on the current SharePoint site. | ||||
Vulnerabilities: CVE-2014-2816 |
Included Updates: 2880994 2977202 |
Applies to: Microsoft Knowledge Base Article 2880994 Microsoft Knowledge Base Article 887012 Microsoft Knowledge Base Article 912203 |
Bulletin ID: MS14-048 |
Title: Vulnerability in OneNote Could Allow Remote Code Execution (2977201) |
Update Type: Security Update |
Severity: Important |
Date: 2014-08-12 |
Description: This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft OneNote. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-2815 |
Included Updates: 2596857 2977201 |
Applies to: Microsoft OneNote 2007 Service Pack 3 |
Bulletin ID: MS14-047 |
Title: Vulnerability in LRPC Could Allow Security Feature Bypass (2978668) |
Update Type: Security Update |
Severity: Important |
Date: 2014-08-12 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker uses the vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that takes advantage of the ASLR bypass to run arbitrary code. | ||||
Vulnerabilities: CVE-2014-0316 |
Included Updates: 2978668 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2012 Windows Server 2012 R2 |
Bulletin ID: MS14-044 |
Title: Vulnerabilities in SQL Server Could Allow Elevation of Privilege (2984340) |
Update Type: Security Update |
Severity: Important |
Date: 2014-08-12 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft SQL Server (one in SQL Server Master Data Services and the other in the SQL Server relational database management system). The more severe of these vulnerabilities, affecting SQL Server Master Data Services, could allow elevation of privilege if a user visits a specially crafted website that injects a client-side script into the user's instance of Internet Explorer. In all cases, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website, or by getting them to open an attachment sent through email. | ||||
Vulnerabilities: CVE-2014-1820 CVE-2014-4061 |
Included Updates: 2977315 2977316 2977319 2977320 2977321 2977322 2977325 2977326 2984340 |
Applies to: Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 2 Microsoft SQL Server 2008 R2 for Itanium-based Systems Service Pack 2 Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 2 Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3 Microsoft SQL Server 2008 for Itanium-based Systems Service Pack 3 Microsoft SQL Server 2008 for x64-based Systems Service Pack 3 Microsoft SQL Server 2012 for 32-bit Systems Service Pack 1 Microsoft SQL Server 2012 for x64-based Systems Service Pack 1 Microsoft SQL Server 2014 for x64-based Systems |
Bulletin ID: MS14-043 |
Title: Vulnerability in Windows Media Center Could Allow Remote Code Execution (2978742) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-08-12 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that invokes Windows Media Center resources. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-4060 |
Included Updates: 2978742 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Media Center |
Bulletin ID: MS14-036 |
Title: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-08-12 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-1817 CVE-2014-1818 |
Included Updates: 2767915 2863942 2878233 2881013 2881069 2881071 2957503 2957509 2963284 2963285 2964718 2964736 2965155 2965161 2967487 |
Applies to: |
Bulletin ID: MS11-098 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171) |
Update Type: Security Update |
Severity: Important |
Date: 2014-08-12 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. | ||||
Vulnerabilities: CVE-2011-2018 |
Included Updates: 2633171 |
Applies to: Windows 7 Windows Embedded Standard 7 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP |
Bulletin ID: MS14-041 |
Title: Vulnerability in DirectShow Could Allow Elevation of Privilege (2975681) |
Update Type: Security Update |
Severity: Important |
Date: 2014-07-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user. By default, the modern, immersive browsing experience on Windows 8 and Windows 8.1 runs with Enhanced Protected Mode (EPM). For example, customers using the touch-friendly Internet Explorer 11 browser on modern Windows tablets are using Enhanced Protected Mode by default. Enhanced Protected Mode uses advanced security protections that can help mitigate against exploitation of this vulnerability on 64-bit systems. | ||||
Vulnerabilities: CVE-2014-2780 |
Included Updates: 2972280 2973932 2975681 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-040 |
Title: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) |
Update Type: Security Update |
Severity: Important |
Date: 2014-07-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2014-1767 |
Included Updates: 2961072 2973408 2975684 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-039 |
Title: Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege (2975685) |
Update Type: Security Update |
Severity: Important |
Date: 2014-07-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system. | ||||
Vulnerabilities: CVE-2014-2781 |
Included Updates: 2973201 2973906 2975685 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-038 |
Title: Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-07-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-1824 |
Included Updates: 2971850 2974286 2975689 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-033 |
Title: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061) |
Update Type: Security Update |
Severity: Important |
Date: 2014-06-16 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website. | ||||
Vulnerabilities: CVE-2014-1816 |
Included Updates: 2939576 2957482 2966061 2966631 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-031 |
Title: Vulnerability in TCP Protocol Could Allow Denial of Service (2962478) |
Update Type: Security Update |
Severity: Important |
Date: 2014-06-16 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a sequence of specially crafted packets to the target system. | ||||
Vulnerabilities: CVE-2014-1811 |
Included Updates: 2957189 2961858 2962478 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-030 |
Title: Vulnerability in Remote Desktop Could Allow Tampering (2969259) |
Update Type: Security Update |
Severity: Important |
Date: 2014-06-16 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. | ||||
Vulnerabilities: CVE-2014-0296 |
Included Updates: 2965788 2966034 2969259 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 |
Bulletin ID: MS14-034 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261) |
Update Type: Security Update |
Severity: Important |
Date: 2014-06-10 |
Description: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-2778 |
Included Updates: 2880513 2880515 2969261 |
Applies to: Microsoft Office Compatibility Pack Service Pack 3 Microsoft Word 2007 Service Pack 3 |
Bulletin ID: MS14-032 |
Title: Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258) |
Update Type: Security Update |
Severity: Important |
Date: 2014-06-10 |
Description: This security update resolves a privately reported vulnerability in Microsoft Lync Server. The vulnerability could allow information disclosure if a user tries to join a Lync meeting by clicking a specially crafted meeting URL. | ||||
Vulnerabilities: CVE-2014-1823 |
Included Updates: 2963286 2963288 2969258 |
Applies to: Microsoft Lync Server 2010 Microsoft Lync Server 2013 |
Bulletin ID: MS14-028 |
Title: Vulnerabilities in iSCSI Could Allow Denial of Service (2962485) |
Update Type: Security Update |
Severity: Important |
Date: 2014-05-13 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network. This vulnerability only affects servers for which the iSCSI target role has been enabled. | ||||
Vulnerabilities: CVE-2014-0255 CVE-2014-0256 |
Included Updates: 2933826 2962073 2962485 |
Applies to: Windows Server 2012 Windows Server 2012 R2 iSCSI Software Target 3.3 |
Bulletin ID: MS14-027 |
Title: Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) |
Update Type: Security Update |
Severity: Important |
Date: 2014-05-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that uses ShellExecute. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2014-1807 |
Included Updates: 2926765 2962123 2962488 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
Bulletin ID: MS14-026 |
Title: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) |
Update Type: Security Update |
Severity: Important |
Date: 2014-05-13 |
Description: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow elevation of privilege if an unauthenticated attacker sends specially crafted data to an affected workstation or server that uses .NET Remoting. .NET Remoting is not widely used by applications; only custom applications that have been specifically designed to use .NET Remoting would expose a system to the vulnerability. | ||||
Vulnerabilities: CVE-2014-1806 |
Included Updates: 2931352 2931354 2931356 2931357 2931358 2931365 2931366 2931367 2931368 2932079 2958732 |
Applies to: Microsoft .NET Framework 1.1 Service Pack 1 Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4 Microsoft .NET Framework 4.5 Microsoft .NET Framework 4.5.1 |
Bulletin ID: MS14-025 |
Title: Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486) |
Update Type: Security Update |
Severity: Important |
Date: 2014-05-13 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain - a practice that could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences. | ||||
Vulnerabilities: CVE-2014-1812 |
Included Updates: 2928120 2961899 2962486 |
Applies to: Remote Server Administration Tools Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2012 Windows Server 2012 R2 |
Bulletin ID: MS14-024 |
Title: Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) |
Update Type: Security Update |
Severity: Important |
Date: 2014-05-13 |
Description: This security update resolves one privately reported vulnerability in an implementation of the MSCOMCTL common controls library. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code. | ||||
Vulnerabilities: CVE-2014-1809 |
Included Updates: 2589288 2596804 2760272 2810073 2817330 2880502 2880507 2880508 2880971 2961033 |
Applies to: Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 (32-bit editions) Microsoft Office 2013 (64-bit editions) Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) |
Bulletin ID: MS14-023 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037) |
Update Type: Security Update |
Severity: Important |
Date: 2014-05-13 |
Description: This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-1756 CVE-2014-1808 |
Included Updates: 2767772 2878284 2878316 2880463 2961037 |
Applies to: Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 (32-bit editions) Microsoft Office 2013 (64-bit editions) Microsoft Office 2013 Service Pack 1 (32-bit editions) Microsoft Office 2013 Service Pack 1 (64-bit editions) |
Bulletin ID: MS14-022 |
Title: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-05-13 |
Description: This security update resolves multiple privately reported vulnerabilities in Microsoft Office server and productivity software. The most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server. | ||||
Vulnerabilities: CVE-2014-0251 CVE-2014-1754 CVE-2014-1813 |
Included Updates: 2596763 2596810 2596861 2596902 2752096 2760236 2810069 2837588 2837598 2837616 2863829 2863836 2863854 2863856 2863863 2863922 2880453 2880536 2952166 |
Applies to: Microsoft SharePoint Foundation 2010 Service Pack 1 Microsoft SharePoint Foundation 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2013 Microsoft SharePoint Server 2013 Service Pack 1 Microsoft Windows SharePoint Services 3.0 Service Pack 3 (32-bit versions) Microsoft Windows SharePoint Services 3.0 Service Pack 3 (64-bit versions) SharePoint Server 2007 Service Pack 3 (32-bit editions) SharePoint Server 2007 Service Pack 3 (64-bit editions) |
Bulletin ID: MS14-020 |
Title: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145) |
Update Type: Security Update |
Severity: Important |
Date: 2014-04-08 |
Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-1759 |
Included Updates: 2817565 2878299 2950145 |
Applies to: Components Microsoft Office Suites |
Bulletin ID: MS14-019 |
Title: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229) |
Update Type: Security Update |
Severity: Important |
Date: 2014-04-08 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location. An attacker would have no way to force users to visit the network location or run the specially crafted files. Instead, an attacker would have to convince users to take such action. For example, an attacker could trick users into clicking a link that takes them to the location of the attacker's specially crafted files and subsequently convince them to run them. | ||||
Vulnerabilities: CVE-2014-0315 |
Included Updates: 2922229 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS14-017 |
Title: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-04-08 |
Description: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Office. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened or previewed in an affected version of Microsoft Office software. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-1757 CVE-2014-1758 CVE-2014-1761 |
Included Updates: 2863907 2863910 2863919 2863926 2878219 2878220 2878221 2878236 2878237 2878303 2878304 2949660 |
Applies to: Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 2013 RT Microsoft Office for Mac Other Office Software |
Bulletin ID: MS14-016 |
Title: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418) |
Update Type: Security Update |
Severity: Important |
Date: 2014-03-11 |
Description: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username. | ||||
Vulnerabilities: CVE-2014-0317 |
Included Updates: 2923392 2933528 2934418 |
Applies to: Server Core installation option Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS14-015 |
Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275) |
Update Type: Security Update |
Severity: Important |
Date: 2014-03-11 |
Description: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. | ||||
Vulnerabilities: CVE-2014-0300 CVE-2014-0323 |
Included Updates: 2930275 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS14-014 |
Title: Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677) |
Update Type: Security Update |
Severity: Important |
Date: 2014-03-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow security feature bypass if an attacker hosts a website that contains specially crafted Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the website. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. | ||||
Vulnerabilities: CVE-2014-0319 |
Included Updates: 2932677 |
Applies to: Microsoft Silverlight 5 |
Bulletin ID: MS14-013 |
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-03-11 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted image file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-0301 |
Included Updates: 2929961 |
Applies to: Windows 7 Windows 8 Windows 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS14-009 |
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) |
Update Type: Security Update |
Severity: Important |
Date: 2014-02-28 |
Description: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. | ||||
Vulnerabilities: CVE-2014-0253 CVE-2014-0257 CVE-2014-0295 |
Included Updates: 2898855 2898856 2898857 2898858 2898860 2898864 2898865 2898866 2898868 2898869 2898870 2898871 2901110 2901111 2901112 2901113 2901115 2901118 2901119 2901120 2901125 2901126 2901127 2901128 2904878 2911501 2911502 2916607 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS14-007 |
Title: Vulnerability in Direct2D Could Allow Remote Code Execution (2912390) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-02-28 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker's website, or by getting them to open an attachment sent through email. | ||||
Vulnerabilities: CVE-2014-0263 |
Included Updates: 2912390 |
Applies to: Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 |
Bulletin ID: MS14-005 |
Title: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036) |
Update Type: Security Update |
Severity: Important |
Date: 2014-02-28 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services included in Microsoft Windows. The vulnerability could allow information disclosure if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to view specially crafted content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker's website, or by getting them to open an attachment sent through email. | ||||
Vulnerabilities: CVE-2014-0266 |
Included Updates: 2916036 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS13-098 |
Title: Vulnerability in Windows Could Allow Remote Code Execution (2893294) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-02-28 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system. | ||||
Vulnerabilities: CVE-2013-3900 |
Included Updates: 2893294 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS13-095 |
Title: Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) |
Update Type: Security Update |
Severity: Important |
Date: 2014-02-28 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service when an affected web service processes a specially crafted X.509 certificate. | ||||
Vulnerabilities: CVE-2013-3869 |
Included Updates: 2868626 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
Bulletin ID: MS13-090 |
Title: Cumulative Security Update of ActiveX Kill Bits (2900986) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-02-28 |
Description: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2013-3918 |
Included Updates: 2900986 |
Applies to: |
Bulletin ID: MS14-011 |
Title: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-02-11 |
Description: This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visited a specially crafted website. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website. | ||||
Vulnerabilities: CVE-2014-0271 |
Included Updates: 2909212 2909213 2928390 |
Applies to: Server Core installation VBScript 5.6 VBScript 5.7 VBScript 5.8 (Internet Explorer 10) VBScript 5.8 (Internet Explorer 11) VBScript 5.8 (Internet Explorer 8) VBScript 5.8 (Internet Explorer 9) |
Bulletin ID: MS14-010 |
Title: Cumulative Security Update for Internet Explorer (2909921) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-02-11 |
Description: This security update resolves one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-0267 CVE-2014-0268 CVE-2014-0269 CVE-2014-0270 CVE-2014-0271 CVE-2014-0272 CVE-2014-0273 CVE-2014-0274 CVE-2014-0275 CVE-2014-0276 CVE-2014-0277 CVE-2014-0278 CVE-2014-0279 CVE-2014-0280 CVE-2014-0281 CVE-2014-0283 CVE-2014-0284 CVE-2014-0285 CVE-2014-0286 CVE-2014-0287 CVE-2014-0288 CVE-2014-0289 CVE-2014-0290 CVE-2014-0293 |
Included Updates: 2909921 |
Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
Bulletin ID: MS14-006 |
Title: Vulnerability in IPv6 Could Allow Denial of Service (2904659) |
Update Type: Security Update |
Severity: Important |
Date: 2014-02-11 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a large number of specially crafted IPv6 packets to an affected system. To exploit the vulnerability, an attacker's system must belong to the same subnet as the target system. | ||||
Vulnerabilities: CVE-2014-0254 |
Included Updates: 2904659 |
Applies to: Server Core installation option Windows 8 Windows RT Windows Server 2012 |
Bulletin ID: MS14-003 |
Title: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602) |
Update Type: Security Update |
Severity: Important |
Date: 2014-01-14 |
Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a user logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2014-0262 |
Included Updates: 2913602 |
Applies to: Server Core installation option Windows 7 Windows Server 2008 R2 |
Bulletin ID: MS14-002 |
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) |
Update Type: Security Update |
Severity: Important |
Date: 2014-01-14 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
Vulnerabilities: CVE-2013-5065 |
Included Updates: 2914368 |
Applies to: Windows Server 2003 Windows XP |
Bulletin ID: MS14-001 |
Title: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) |
Update Type: Security Update |
Severity: Important |
Date: 2014-01-14 |
Description: This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
Vulnerabilities: CVE-2014-0258 CVE-2014-0259 CVE-2014-0260 |
Included Updates: 2827224 2837577 2837596 2837615 2837617 2837625 2863834 2863866 2863867 2863879 2863901 2863902 2916605 |
Applies to: Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 2013 RT Other Office Software |
Bulletin ID: MS13-081 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) |
Update Type: Security Update |
Severity: Critical |
Date: 2014-01-14 |
Description: This security update resolves seven privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user views shared content that embeds OpenType or TrueType font files. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. | ||||
Vulnerabilities: CVE-2013-3128 CVE-2013-3200 CVE-2013-3879 CVE-2013-3880 CVE-2013-3881 CVE-2013-3888 CVE-2013-3894 |
Included Updates: 2847311 2855844 2862330 2862335 2863725 2864202 2868038 2870008 2876284 2883150 2884256 |
Applies to: Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for 64-bit Systems Windows RT Windows Server 2003 Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows XP Professional x64 Edition Service Pack 2 Windows XP Service Pack 3 |
Bulletin ID: MS12-066 |
Title: Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517) |
Update Type: Security Update |
Severity: Important |
Date: 2014-01-14 |
Description: This security update resolves a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user. | ||||
Vulnerabilities: CVE-2012-2520 |
Included Updates: 2589280 2687402 2687405 2687417 2687434 2687435 2687436 2687439 2687440 2687442 2726382 2726388 2726391 2741517 |
Applies to: |
Bulletin ID: MS12-050 |
Title: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502) |
Update Type: Security Update |
Severity: Important |
Date: 2014-01-14 |
Description: This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site. | ||||
Vulnerabilities: CVE-2012-1858 CVE-2012-1859 CVE-2012-1860 CVE-2012-1861 CVE-2012-1862 CVE-2012-1863 |
Included Updates: 2553194 2553322 2553365 2553424 2553431 2589325 2596663 2596666 2596786 2596911 2596942 2598239 2695502 |
Applies to: Office 2007 Office 2010 Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Server 2008 R2 |