After a busy December capping off a 2013 that saw an average
of about nine security bulletins per month, Microsoft is kicking off 2014 with
a lighter-than-usual Patch Tuesday. There are only four security bulletins this month, and all
four are rated merely as Important.
The most notable of the bunch is MS14-002, because it
addresses a zero day flaw in Windows XP that has already seen
limited exploit in the wild for a few months. Don’t let the lack of
Critical bulletins make you apathetic, though — you should still apply all
applicable patches and updates as quickly as possible.
MS14-001 / KB2916605 – Vulnerabilities in Microsoft Word and
Office Web Apps Could Allow Remote Code Execution
This security bulletins addresses a few separate
vulnerabilities in Microsoft Office. An attacker could use a specially-crafted
malicious file to exploit the flaw and execute remote code on the vulnerable
system. The impact of these flaws is reduced by the facts that the
attacker first has to dupe a user into opening the malicious file, and that a
successful exploit only allows the attacker to run remote code in the same
context as the currently logged in user. As long as the user does not have
Administrator privileges on the system, there is minimal risk.
MS14-002 / KB2914368 – Vulnerability in Windows Kernel Could
Allow Elevation of Privilege
This is the most crucial of the four security bulletins. The
vulnerability affects Windows XP and Windows Server 2003. An attacker can
gain elevated privileges on the target system by exploiting this flaw. One
caveat is that the attacker must have valid logon credentials and be logged in
locally on the system in order to execute a successful exploit. Attackers have
been actively exploiting the vulnerability in the wild, though, so it is urgent
that this patch be applied to vulnerable systems as soon as possible.
MS14-003 / KB2913602 – Vulnerability in Windows Kernel-Mode
Drivers Could Allow Elevation of Privilege
This security bulletin addresses a vulnerability in the
Windows kernel drivers in Windows 7 and Windows Server 2008 R2. Attackers can
exploit this vulnerability to execute arbitrary code in the context of the
kernel. Like MS14-002, Microsoft states that the attacker must have
valid logon credentials and be logged in locally on the vulnerable system in
order to initiate the exploit.
MS14-004 / KB2880826 – Vulnerability in Microsoft Dynamics AX
Could Allow Denial of Service
This security bulletin only affects customers running Microsoft Dynamics
AX. An attacker can submit specially crafted data to a Microsoft Dynamics AX
Application Object Server (AOS) instance to exploit the vulnerability and cause
the a denial-of-service condition on the affected AOS instance.