Eight bulletins were released this month which address 13 unique CVEs in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. For those who need to prioritize their deployment planning, Microsoft recommends focusing on MS14-024, MS14-025, and MS14-029.

As a reminder, Windows XP will not be receiving any updates this month as Microsoft recommends moving to a modern operating system.


Exploitability Assessment

Bulletin ID Vulnerability Title CVE ID Exploitability Assessment for Latest Software Release Exploitability Assessment for Older Software Release Denial of Service Exploitability Assessment Key Notes
MS14-021
(Released out-of-band on May 1, 2014)
Internet Explorer Memory Corruption Vulnerability CVE-2014-1776 1 – Exploit code likely 1 – Exploit code likely Not applicable This vulnerability has been publicly disclosed. This vulnerability was first described in Microsoft Security Advisory 2963983.Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability in Internet Explorer.
MS14-022 SharePoint Page Content Vulnerability CVE-2014-0251 1 – Exploit code likely 1 – Exploit code likely Not applicable (None)
MS14-022 SharePoint XSS Vulnerability CVE-2014-1754 1 – Exploit code likely Not affected Not applicable (None)
MS14-022 Web Applications Page Content Vulnerability CVE-2014-1813 Not affected 3 – Exploit code unlikely Temporary (None)
MS14-023 Microsoft Office Chinese Grammar Checking Vulnerability CVE-2014-1756 1 – Exploit code likely 1 – Exploit code likely Not applicable (None)
MS14-023 Token Reuse Vulnerability CVE-2014-1808 3 – Exploit code unlikely 3 – Exploit code unlikely Not applicable This is an information disclosure vulnerability.
MS14-024 MSCOMCTL ASLR Vulnerability CVE-2014-1809 Not applicable Not applicable Not applicable This is a security feature bypass vulnerability.Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability.
MS14-025 Group Policy Preferences Password Elevation of Privilege Vulnerability CVE-2014-1812 1 – Exploit code likely 1 – Exploit code likely Not applicable This vulnerability has been publicly disclosed.
MS14-026 TypeFilterLevel Vulnerability CVE-2014-1806 1 – Exploit code likely 1 – Exploit code likely Not applicable (None)
MS14-027 Windows Shell File Association Vulnerability CVE-2014-1807 1 – Exploit code likely 1 – Exploit code likely Not applicable Microsoft is aware of limited attacks that attempt to exploit this vulnerability.
MS14-028 iSCSI Target Remote Denial of Service Vulnerability CVE-2014-0255 3 – Exploit code unlikely 3 – Exploit code unlikely Temporary This is a denial of service vulnerability.
MS14-028 iSCSI Target Remote Denial of Service Vulnerability CVE-2014-0256 3 – Exploit code unlikely 3 – Exploit code unlikely Temporary This is a denial of service vulnerability.
MS14-029 Internet Explorer Memory Corruption Vulnerability CVE-2014-0310 1 – Exploit code likely 1 – Exploit code likely Not applicable (None)
MS14-029 Internet Explorer Memory Corruption Vulnerability CVE-2014-1815 1 – Exploit code likely 1 – Exploit code likely Not applicable Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer.

(source: Microsoft Security Response Center)


May 19, 2014

Update Report on Patches MS14-021 to MS14-029

MS14-021:(Released out-of-band on May 1) Deployed via Kaseya and tested successfully for Internet Explorer 7, 8, 9, 10, 11 on Windows 2003, 2008, 7, 2008R2, 8.1, 2012R2.

MS14-022: Deployed via Kaseya and tested successfully for SharePoint Server 2010, 2013.

MS14-023: Deployed via Kaseya and tested successfully for Office 2010, 2013.

MS14-024: Deployed via Kaseya and tested successfully for Office 2007, 2010, 2013.

MS14-025: Deployed via Kaseya and tested successfully on Vista, 2008, 7, 2008R2, 8, 8.1, 2012R2.

MS14-026: Deployed via Kaseya and tested successfully on 2003, Vista, 2008, 7, 2008R2, 8, 8.1, 2012R2.

MS14-027: Deployed via Kaseya and tested successfully on 2003, Vista, 2008, 7, 2008R2, 8, 8.1, 2012R2.

MS14-028: Deployed via Kaseya and tested successfully on 2008, 2008R2, 2012R2.

MS14-029: Deployed via Kaseya and tested successfully for Internet Explorer 7, 8, 9, 10, 11 on Windows 2003, 2008, 7, 2008R2, 8.1, 2012R2.