Today we released ten security bulletins addressing 33 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability||Likely first 30 days impact||Platform mitigations and key notes|
(Internet Explorer 8)
|Victim browses to a malicious webpage.||Critical||1||CVE-2013-1347 currently being exploited in active attacks.||Addresses the issue that was first discovered as an exploit on the US Department of Labor website. Includes the IE8 mshtml.dll from MS13-037 + one additional fix for CVE-2013-1347.
Vulnerable code is also present in IE9 but not vulnerable in same way. Update for IE9 is included as defense-in-depth measure.
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.|
|Attacker sends malicious HTTP request to victim IIS server, creating a resource exhaustion denial-of-service.||Important||1||Likely to see reliable exploits developed for denial-of-service within next 30 days.||Most likely target would be Windows Server 2012 web servers. Windows Server 2003, 2008, 2008 R2 not affected.|
|Victim opens malicious .PUB file||Important||1||Likely to see reliable exploits developed for denial-of-service within next 30 days.||11 CVE’s affecting primarily Publisher 2003. One affects Publisher 2007 and Publisher 2010. None affect Publisher 2013.|
(Kernel mode drivers, win32k.sys and dxgkrnl.sys)
|Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM.||Important||1||Difficult to build reliable exploit code for this vulnerability.|
|Victim opens malicious .doc file||Important||2||Difficult to build reliable exploit code for this vulnerability.||Does not affect Word 2007, Word 2010, Word 2013, Word Web Apps, or Office for Mac.|
|Victim accepts an incoming Lync chat invitation and then agrees to view a shared program or shared content presented by the attacker.||Important||2||Difficult to build reliable exploit code for this vulnerability.||Cannot be exploited via regular Lync chat. Requires victim agreeing to view shared content.|
|Victim opens malicious SVG image on system where Visio is installed. Through a sequence of events, Visio can be tricked into automatically sending the contents of a local file to a remote server.||Important||3||No direct code execution. This is an information disclosure vulnerability only.|
|Victim clicks on a malicious wlw:// URL, opening Windows Writer (blogging software) and causing it to potentially overwrite local files writable by the logged-in user.||Important||3||No direct code execution.||After clicking on the prompt, user prompted to open Windows Writer. Vulnerability can only be triggered after user agrees to open Windows Writer.|
|.NET Framework’s process to verify digital signature of XML can potentially be tricked into accepting unsigned XML as signed when first presented with signed XML.||Important||3||No direct code execution. This is a spoofing threat.|
– Jonathan Ness, MSRC Engineering