CERT-In Advisory
CIAD-2014-0060
Multiple Vulnerabilities in Microsoft Products
Original Issue Date: October 15, 2014
Systems Affected
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32-bit Systems SP2
- Windows Server 2008 for x64-based Systems SP2
- Windows Server 2008 for Itanium-based Systems SP2
- Windows 7 for 32-bit and x64-based Systems SP1
- Windows Server 2008 R2 for x64-based and Itanium-based Systems SP1
- Windows Server 2008 for 32-bit,x64-based and Itanium-based Systems SP2
- Windows 8 for 32-bit and x64-based Systems
- Windows 8.1 for 32-bit and x64-based Systems
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT
- Windows RT 8.1
- Microsoft Office 2007 SP3
- Microsoft Office 2010 SP1 and SP2 (32-bit & 64-bit editions)
- Microsoft Office for Mac 2011
- Microsoft Office Compatibility Pack SP3
- Microsoft Office Web Apps 2010 SP1 and SP2
Component Affected
- ASP.NET MVC 2.0, 3.0, 4.0, 5.0 & 5.1
- Internet Explorer 6, 7, 8, 9, 10 and 11
- Microsoft .NET Framework 2.0 SP2
- Microsoft .NET Framework 3.5 , 3.5.1
- Microsoft .NET Framework 4.0, 4.5, 4.5.1 & 4.5.2
- Word Automation Services on Microsoft SharePoint Server 2010 SP2 and prior
Overview
Multiple Vulnerabilities have been reported in various components of Microsoft Products.
Description
The vulnerability notes released by CERT-In with reference to Microsoft Security Bulletins are given below:
| Microsoft Security Bulletin |
Severity |
CERT-In Vulnerability Notes |
| MS14-056.:Cumulative Security Update for Internet Explorer |
High |
CIVN-2014-0225
Multiple Vulnerabilities in Microsoft Internet Explorer
|
| MS14-057:Vulnerabilities in .NET Framework Could Allow Remote Code Execution |
High |
CIVN-2014-0226
Multiple Remote Code Execution Vulnerabilities in Microsoft .NET Framework
|
| MS14-058:Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution |
High |
CIVN-2014-0227
Multiple Remote Code Execution Vulnerabilities in Kernel-Mode Driver
|
| MS14-059:Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass |
Medium |
CIVN-2014-0228
cross-site scripting (XSS) vulnerability exists in ASP.NET MVC
|
| MS14-060:Vulnerability in Windows OLE Could Allow Remote Code Execution |
Medium |
CIVN-2014-0229
Remote Code Execution Vulnerability in Microsoft Windows OLE
|
| MS14-061:Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution |
High |
CIVN-2014-0230
Remote Code Execution Vulnerability in Microsoft Word and Office Web Apps
|
| MS14-062:Vulnerability in Message Queuing Service Could Allow Elevation of Privilege |
Medium |
CIVN-2014-0231
Microsoft Windows Message Queuing Service Privilege Escalation Vulnerability
|
| MS14-063:Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege |
Medium |
CIVN-2014-0232
Microsoft Windows FASTFAT Driver Privilege Escalation vulnerability
|
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin October 2014
https://technet.microsoft.com/library/security/ms14-oct
Vendor Information
Microsoft Corporation
https://technet.microsoft.com/library/security/ms14-oct
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|