Quiet Patch Tuesday for January with only four Important bulletins
January's Patch Tuesday has seen only four bulletins, with no Critical ones (hooray!) and no patches for Internet Explorer. However, the four bulletins are rated Important and users should apply the related patches as soon as possible.
According to security specialist Trustwave two of the vulnerabilities result in a privilege elevation and a third involves remote code execution utilizing an Office document.
Trustwave warns that on their own these vulnerabilities might not be critical, but combined they can prove much more serious. If an attacker used a malicious Office document to execute code that takes advantage of the privilege elevation vulnerability for example, then a phishing email to an unsuspecting user would be all that's necessary to compromise the system.
SpiderLabs researcher Ben Hayak has seen this type of combined attack occur in the wild, although it used Adobe Reader rather than Office. He’s documented the attack in a blog post which makes interesting reading.
The four latest bulletins are, MS14-001 (KB2916605) which covers three vulnerabilities in MS Office that may allow remote code execution; MS14-002(KB2914368) which addresses a vulnerabilityin NDProxy.sys reported in November last year which may allow privilege elevation via a specially crafted app (this only affects XP and Server 2003); MS14-003 (KB2913602) covers a similar vulnerability in Win32k.sys (affecting Windows 7 and Server 2008 R2); finally, MS14-004 (KB2880826) covers a vulnerability in Microsoft Dynamics AX that could allow a denial of service attack.
Full details of the January security bulletin are available on the Microsoft TechNet site.