Of the seven bulletins released for June Patch Tuesday, two are rated critical and five are rated important. All together, they cover a total of 66 CVEs, but one, MS14-035, remediates 59 of those CVEs. Yes, it’s time for another IE cumulative update and this should (again) be first on your list of patching priorities […]
Of the seven bulletins released for June Patch Tuesday, two are rated critical and five are rated important. All together, they cover a total of 66 CVEs, but one, MS14-035, remediates 59 of those CVEs. Yes, it’s time for another IE cumulative update and this should (again) be first on your list of patching priorities for June from Microsoft. Russ Ernst, director, product management at Lumension, provides a rundown on the patches for this month.
June Patch Summary
MS14-035: Cumulative Security Update for Internet Explorer (2969262)
Severity: Critical
Restart: Requires restart
Affects: Microsoft Windows, Internet Explorer
MS 14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)
Severity: Critical
Restart: Requires restart
Affects: Microsoft, Microsoft Office, Microsoft Lync
MS14-034: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)
Severity: Important
Restart: May require restart
Affects: Microsoft Office
MS14-033: Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)
Severity: Important
Restart: May require restart
Affects: Microsoft Windows
MS14-032: Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)
Severity: Important
Restart: May require restart
Affects: Microsoft Lync Server
MS14-031: Vulnerability in TCP Protocol Could Allow Denial of Service (2962478)
Severity: Important
Restart: Requires restart
Affects: Microsoft Windows
MS14-030: Vulnerability in Remote Desktop Could Allow Tampering (2969259)
Severity: Important
Restart: May require restart
Affects: Microsoft Windows
Click through for a rundown of the June Patch Tuesday updates from Microsoft, provided by Russ Ernst, director of product management at Lumension.
MS14-035: Critical
Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21. This cumulative update includes a fix for the ZDI reported vulnerability and one other publicly reported vulnerability. The ZDI reported vulnerability had a limited attack surface (impacting IE 8 only) and since it was publicly reported, there are no known active attacks. In fact, none of the vulnerabilities in this month’s release are under active attack, including these two publicly reported vulnerabilities.
MS14-036: Critical
The second critical patch this month is MS14-036. This is a far-reaching vulnerability in Microsoft Graphics component that could allow a remote code execution. The two CVEs are not currently under known attack but the impacted software list is extensive: all versions of Windows, Office, Lync and Live Meeting. Given this extensive list of impacted applications and systems, administrators should have their test systems up to date to ensure a smooth roll-out.
MS14-030: Important
MS14-030 is a vulnerability in Remote Desktop that could allow tampering in legacy versions of Windows RDP. This important class bulletin is for one CVE and it was privately disclosed. The usefulness for a hacker is low and therefore attacks aren’t likely. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
MS14-031: Important
MS14-031 is a vulnerability in TCP protocol that could allow denial of service in Windows Vista and newer. This is a distributed denial of service scenario that could cause machines to blue screen.
MS14-032: Important
MS14-032 is a vulnerability in Microsoft Lync 2010 and 2013 that could allow information disclosure. To exploit this vulnerability, an attacker would have to hijack a valid Lync meeting and resend the invite with a cross-site scripting attack. This requires a bit of social engineering, so don’t accept meeting requests from unknown organizers.
MS14-033: Important
MS14-033 is an information disclosure vulnerability in XML Core Services. Using other products, like IE, an attacker could unwittingly get someone to disclose the contents of different directories. An attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an instant messenger request that takes users to the attacker’s website.
MS14-034: Important
A vulnerability causing a remote code execution in Microsoft Word is addressed in MS14-034. It impacts Office 2007 and higher. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Windows Sever 2003 EOL
Notably, MS14-036 and MS14-031 impact Windows Server 2003 so this is a good time to note its impending end of life in July, 2015. We are coming up on just a year out now and because any changes to your data center environment will likely require a significant amount of planning and work, it isn’t too soon to get that plan started.
The go-to resource for IT professionals from all corners of the tech world looking for cutting edge technology solutions that solve their unique business challenges. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in the technology space.
Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
