The most notable of the bunch is MS14-002, because it addresses a zero day flaw in Windows XP that has already seen limited exploit in the wild for a few months. Don't let the lack of Critical bulletins make you apathetic, though — you should still apply all applicable patches and updates as quickly as possible.
Security patchesMS14-001 / KB2916605 - Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
This security bulletins addresses a few separate vulnerabilities in Microsoft Office. An attacker could use a specially-crafted malicious file to exploit the flaw and execute remote code on the vulnerable system. The impact of these flaws is reduced by the facts that the attacker first has to dupe a user into opening the malicious file, and that a successful exploit only allows the attacker to run remote code in the same context as the currently logged in user. As long as the user does not have Administrator privileges on the system, there is minimal risk.
This is the most crucial of the four security bulletins. The vulnerability affects Windows XP and Windows Server 2003. An attacker can gain elevated privileges on the target system by exploiting this flaw. One caveat is that the attacker must have valid logon credentials and be logged in locally on the system in order to execute a successful exploit. Attackers have been actively exploiting the vulnerability in the wild, though, so it is urgent that this patch be applied to vulnerable systems as soon as possible.MS14-003 / KB2913602 - Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
This security bulletin addresses a vulnerability in the Windows kernel drivers in Windows 7 and Windows Server 2008 R2. Attackers can exploit this vulnerability to execute arbitrary code in the context of the kernel. Like MS14-002, Microsoft states that the attacker must have valid logon credentials and be logged in locally on the vulnerable system in order to initiate the exploit.MS14-004 / KB2880826 - Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service This security bulletin only affects customers running Microsoft Dynamics AX. An attacker can submit specially crafted data to a Microsoft Dynamics AX Application Object Server (AOS) instance to exploit the vulnerability and cause the a denial-of-service condition on the affected AOS instance.
Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He has authored or co-authored a number of books, including Unified Communications for Dummies, Essential Computer Security, and PCI Compliance.