Today we released six security bulletins addressing 19 CVE’s. Four of the bulletins have a maximum severity rating of Critical, one has a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability Index Rating||Likely first 30 days impact||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.||Internet Explorer versions 6, 7, 8, and 10 not affected. Only affects Internet Explorer 9.|
(Windows drivers [win32k.sys])
|Most likely attack vector is an attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM.||Critical||1||Likely to see an exploit released granting a local attacker SYSTEM level access.||Two of the three CVE’s usable for local elevation of privilege only.
The third (CVE-2012-2897) has a theoretical remote code execution attack vector in that TTF fonts can be embedded in both Office documents and PDF files and are also rendered by third party browsers. However, we have been unable trigger this particular vulnerable code path via any remote attack vectors in our experiments.
|Victim navigates to a malicious WebDAV or SMB share and previews a malicious Windows briefcase folder.||Critical||1||Likely to see reliable exploits developed within next 30 days.|
|Victim opens a malicious .XLS file, resulting in potential code execution in the context of the logged-in user.||Important||1||Likely to see reliable exploits developed within next 30 days.||Excel 2013 not affected.|
(Internet Information Services [IIS])
|Attacker having access to IIS server’s operational log after an administrator has enabled Configuration Auditing may be able to access cleartext password of the user under which the IIS AppPool runs.||Moderate||N/A||No chance for code execution. Likely to see descriptions of this information-disclosure vulnerability publicly within next 30 days.||Non-default scenario for IIS 7.5 and later server.
Info disclosure only. No code execution.
– Jonathan Ness, MSRC Engineering