Patch Tuesday, June 2014 delivers seven advisories, of them, two critical, five important – one of which is the seldom seen “tampering” type.
The remarkable item in this month's advisories is MS14-035, the Internet Explorer patch affecting all supported versions. That in itself is not unique, we see one of these almost every month, but this time the patch addresses 59 CVEs, that is 59 distinct vulnerabilities in one patch! Microsoft asserts that while two of the vulnerabilities (CVE-2014-1770 & CVE-2014-1771) have been publically disclosed, none are known to be under active exploitation. That said, CVE-2014-1770 was disclosed through the Zero-Day Initiative (ZDI) and exploit code is known to exist and will likely become public in the near future. This is the top patching priority.
MS14-036 affects a large number of systems and components including all supported Windows versions, Office versions, plus Lync Server and the older Live Meeting, however, according to Microsoft this isn't the top patching priority, not even behind MS14-035. Microsoft has suggested that the likelihood of exploitation here is very low and that the attack vector is theoretical, but maybe not practical. Instead, Microsoft has identified MS14-034 as the other top patching priority. This vulnerability is an information disclosure in MS Word, it's an "open-and-own" scenario where a user who opens a malicious file, such as an emailed document, would be immediately exploited.