Hello Everyone,


Welcome to the first Microsoft Patch Tuesday of 2014. The great news is that this Patch Tuesday is one of the lightest months in recent memory. This month Microsoft released only 4 patches addressing 6 individual vulnerabilities.

Continuing with today’s four releases, none are identified by Microsoft as “critical”.  The remaining patches are labeled “important” by Microsoft. 


This month’s patches are as follows:


  • MS14-001 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)
  • MS14-002 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)
  • MS14-003 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)
  • MS14-004 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)



Looking over the patches, I would like to highlight the following three critical updates:



The first update I would like to highlight consists of a patch for the NDProxy.sys reported in late November.  This vulnerability is in the NDPROXY.SYS kernel driver and on Windows XP and Server 2003 systems only. It coordinates the operation of Microsoft's Telephony API (TAPI), allowing the adversary to elevate of privilege (EoP) of the current logged on user to “Admin.” While this exploit cannot be executed remotely, it has reportedly been used in combination with other exploits. If you used the workaround we linked to in the December 2013 Patch Tuesday update that reroutes the NDProxy service to Null.sys via a registry change, it is recommended to undo the registry change before applying this patch. Removing the workaround will re-enable services like RAS, VPN and Dial-up networking. Though listed as only important by Microsoft, I would argue those still using Windows Server 2003 and Windows XP should consider this patch to be critical and update their systems immediately.




The second highlighted patch handles three vulnerabilities reported privately to Microsoft. Though only listed as important, due to the nature of the potential attack I would list this as a critical patch for the month. This remote code execution vulnerability specifically deals with the way Microsoft Office software parses files.  Potentially, if a user was duped to open a specially-crafted document, the adversary would be given the ability to run programs with the same rights as the current logged in user. This update affects Microsoft Word 2003- 2013 including 2013 RT for tablets. In addition, Office Services and Web Apps on MS Sharepoint Server 2010, 2013, and Web Apps Server 2013 are also affected and will need this patch. This patch should be the top priority of your patching cycle this month if you have these versions of Microsoft software in your environment.




The third update I would like to highlight consists of a patch for a vulnerability found in Windows 7 and Windows Server 2008 R2. This security update fixes a vulnerability in the kernel-mode device driver Win32k.sys. Attackers can exploit this vulnerability to execute arbitrary code in the context of the kernel, elevating the rights of any user to “System”.  Though there are no known exploits of this vulnerability, I would still recommend patching this as soon as possible.


Aggregate coverage (combining host and network-based countermeasure together) is 5 out of 6. McAfee Vulnerability Manager has the ability to scan and detect all 6 vulnerabilities.   Specifically, coverage for each of the three most critical related vulnerabilities (MS14-001, MS14-002, and MS14-003) is covered by the following McAfee endpoint security software and McAfee Enterprise Firewall:


  • BOP ( Buffer Overflow Protection ww/ VSE)
  • HIPS
  • NSP
  • App Control
  • MVM

Further research is being performed 24/7 by McAfee Labs and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.


Finally, in case you’re interested, these briefings are archived on the McAfee Community site and newly archived on the McAfee Community Site.

Happy patching!