Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability rating||Likely first 30 days impact||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.||19 CVE’s being addressed.|
|Victim opens malicious Office document.||Important||1||Limited, targeted attacks seen exploiting single CVE addressed by this update.||Affects Office 2003 and Office for Mac 2011. See this SRD blog post for more information about the attacks.|
|Attacker establishes thousands of connections of a certain type to victim listening on a TCP/IP port, exhausting non-paged pool memory. This causes a denial of service condition where networking stack (or entire system) must be restarted.||Important||3||No chance for direct code execution. Denial of service only.||Can only be triggered from the local machine on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Rated Moderate on those platforms.|
|Attacker who is already running code on a machine uses this vulnerability to elevate from low-privileged account to SYSTEM.||Important||1||Likely to see reliable exploits developed for denial-of-service within next 30 days.|
|Attacker who is already running code on a machine uses this vulnerability to bugcheck machine or leak kernel memory addresses.||Important||3||No chance for direct code execution. Denial of service or information disclosure only.|
- Jonathan Ness, MSRC Engineering