-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0180
        Cumulative Security Update for Internet Explorer (2909921)
                             11 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Internet Explorer 6
                   Internet Explorer 7
                   Internet Explorer 8
                   Internet Explorer 9
                   Internet Explorer 10
                   Internet Explorer 11
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0293 CVE-2014-0290 CVE-2014-0289
                   CVE-2014-0288 CVE-2014-0287 CVE-2014-0286
                   CVE-2014-0285 CVE-2014-0284 CVE-2014-0283
                   CVE-2014-0281 CVE-2014-0280 CVE-2014-0279
                   CVE-2014-0278 CVE-2014-0277 CVE-2014-0276
                   CVE-2014-0275 CVE-2014-0274 CVE-2014-0273
                   CVE-2014-0272 CVE-2014-0271 CVE-2014-0270
                   CVE-2014-0269 CVE-2014-0268 CVE-2014-0267

Original Bulletin: 
   http://technet.microsoft.com/en-us/security/bulletin/ms14-010

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS14-010 - Critical

Cumulative Security Update for Internet Explorer (2909921)

Published Date: February 11, 2014

Version: 1.0

General Information

Executive Summary 

This security update resolves one publicly disclosed vulnerability and 
twenty-three privately reported vulnerabilities in Internet Explorer. The most
severe vulnerabilities could allow remote code execution if a user views a 
specially crafted webpage using Internet Explorer. An attacker who successfully 
exploited the most severe of these vulnerabilities could gain the same user 
rights as the current user. Users whose accounts are configured to have fewer 
user rights on the system could be less impacted than users who operate with 
administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet 
Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and 
Internet Explorer 11 on affected Windows clients, Important for Internet 
Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11
on affected Windows servers, and Moderate for Internet Explorer 6 and Internet
Explorer 7 on supported editions of Windows Server 2003. For more information, 
see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by adding additional 
permission validations to Internet Explorer, and by modifying the way that 
Internet Explorer handles objects in memory. 

Affected Software 

Internet Explorer 6 
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Internet Explorer 10
Internet Explorer 11

Vulnerability Information

Internet Explorer Elevation of Privilege Vulnerability - CVE-2014-0268

An elevation of privilege vulnerability exists within Internet Explorer during 
validation of local file installation and during secure creation of registry 
keys.

VBScript Memory Corruption Vulnerability - CVE-2014-0271

A remote code execution vulnerability exists in the way that the VBScript 
engine handles objects in memory. The vulnerability may corrupt memory in such 
a way that an attacker could execute arbitrary code in the context of the 
current user. If the current user is logged on with administrative user rights,
an attacker who successfully exploited this vulnerability could take complete 
control of an affected system. An attacker could then install programs; view, 
change, or delete data; or create new accounts with full user rights.

Internet Explorer Cross-domain Information Disclosure Vulnerability - 
CVE-2014-0293

An information disclosure vulnerability exists in Internet Explorer that could 
allow an attacker to gain access to information in another domain or Internet
Explorer zone. An attacker could exploit the vulnerability by constructing a 
specially crafted webpage that could allow information disclosure if a user 
viewed the webpage. An attacker who successfully exploited this vulnerability 
could view content from another domain or Internet Explorer zone.

Multiple Memory Corruption Vulnerabilities in Internet Explorer

Internet Explorer Memory Corruption Vulnerability	CVE-2014-0267
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0269
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0270
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0272
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0273
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0274
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0275
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0276
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0277
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0278
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0279
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0280
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0281
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0283
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0284
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0285
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0286
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0287
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0288
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0289
Internet Explorer Memory Corruption Vulnerability	CVE-2014-0290

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUvqjbRLndAQH1ShLAQJQDhAAqGskxWfsT15TIlHoMUgHRSEweAIG7aVN
T1qMoci4Z73nnToJmT+GeCw0XWWvd1OoOSTA39xLdo3xxc2NzVqnk8Q19nSoiy8H
EGlNt3phcjzCjS5cotJeEKuOSe5GzyEgHTyKza+u+u5LtvuKPmZ7OOgr52bZNCRX
oWyo+oDS+9MTL6IM2Pg1TMf9/erWOip6Au8QQBLZ+VPW5gmVOfsLJJcUW6nOqiS8
ypOe794fQReNiqQ8q1TzoSqN639152MbIrTiVja61ntYbxZrunZa9MikjWNfBcDF
dJvJ561z526bFTgl6fbVADIWE0o1tJRfF4sGy0VimNvUUf52Ktu/PGXeTRfOH29L
xFaCbWjbIlBhEKddjnKnzRWKLVTL9pDBH1ZMRse4uR+7T0jiFr4IfF9g6gXohEDx
j3ZkMsp/Vj7D14Mj7i5pNn55Gen7Pe3YRtzzP24yW1jaC/KDymob1wo04eX4qeDy
H935VuWcllaIZuSjH5k4Ee3rxigUhAa5JrHWhNXdfPhCwWMR5/7gDc2YyRkOGj3w
y12a2789dPq9SXKx6qZCamp9TTV48NBXyF+ilY1SyM1Tj02UfNzIaPdJ4FDMb/Jz
20OypXlPCkkQ9BaScrLGzRiB9dBQHC2xuu+miEf1/de15lZOEuk9oWC3hO09uVWl
He2H0kwZjM8=
=Ii0K
-----END PGP SIGNATURE-----