Today we released seven security bulletins addressing 20 CVE’s. Four of the bulletins have a maximum severity rating of Critical, and three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability Index | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS13-021(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Exploit code for CVE-2013-1288, an issue affecting IE8, is publicly available. Likely to see reliable exploits developed within next 30 days for other vulnerabilities addressed by this update as well. | IE 10 on Windows 7 is not affected. |
| MS13-022(Silverlight) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Affects Silverlight 5. |
| MS13-027(Windows USB driver) | Attacker physically inserts malicious USB device into victim’s workstation or server, resulting in code execution at SYSTEM. | Important | 1 | Likely to see reliable exploits developed within next 30 days. | Pre-auth code execution only possible for attacker able to physically insert malicious hardware device into victim computer. Seethis blog post for more background on this vulnerability. |
| MS13-024(SharePoint 2010) | Attacker issues a search query on the SharePoint site with malicious script in the query string. In certain circumstances, a SharePoint admin may view search queries in such a way that the script from the attacker’s search query is run in the context of the SharePoint administrator’s session. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Affects only SharePoint Server 2010 Service Pack 1, no earlier or later versions of SharePoint. |
| MS13-023(Visio Viewer 2010) | Victim uses Visio Viewer 2010 to opens malicious Visio .DXF file. | Critical | 2 | Less likely to see reliable exploit developed for this vulnerability. Visio Viewer exploits not often seen in the wild and this one looks more difficult than usual to exploit for reliable code execution. | Visio itself not affected by this vulnerability directly. Only Visio Viewer 2010 affected. |
| MS13-025(OneNote 2010) | Attacker lures victim to open OneNote file from a malicious or attacker-controlled directory. Attacker uses this vulnerability to cause process memory from the victim’s OneNote process to be written back to the file in the attacker’s directory, potentially leaking information to the attacker. | Important | n/a | Not possible to leverage this vulnerability for code execution directly. Information disclosure only. | Affects only OneNote 2010 Service Pack 1, no earlier or later versions of OneNote. Attacker must lure victim to opening file from a server or location they control. Only information in the OneNote process at the time of user opening the malicious file could become accessible to the attacker. |
| MS13-026(Office Outlook for Mac) | Attacker sends victim an email with links to external content. Content is loaded without prompting user. | Important | n/a | Not possible to leverage this vulnerability for code execution directly. Information disclosure only. |
- Jonathan Ness, MSRC Engineering