Today we released nine security bulletins addressing 13 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability Index | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS13-028(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 2 | Difficult to build reliable exploit code for these vulnerabilities. | Fixes for Pwn2Own vulnerabilities coming in a future security update. |
| MS13-029(Remote Desktop Client ActiveX control) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | By default, Internet Explorer users must click through the “gold bar” before ActiveX controls are loaded. (click here to see example picture)Does not affect version 8 of the RDP client, distributed by default with Windows 8 and Windows Server 2012 and available for Windows 7 SP1 and Windows Server 2008 R2 SP1. |
| MS13-031(Windows Kernel) | Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. | Important | 2 | Difficult to build reliable exploit code for these vulnerabilities. | |
| MS13-036(Windows drivers) | Attacker who is already logged-in and able to run malicious code at a low privilege level plugs in a USB thumb drive while custom malicious code is running. These sequence of events leads to code execution at SYSTEM. | Important | 1 | Likely to see reliable exploits developed within next 30 days. | |
| MS13-032(Active Directory DoS) | Attacker able to authenticate to the Active Directory domain controller sends malicious LDAP requests causing a resource exhaustion condition. When attack stops, performance returns to normal. | Important | 3 | Difficult to predict likelihood of denial of service code appearing in the wild. | No potential for code execution. This is a post-auth denial of service condition only. |
| MS13-034(Windows Defender Anti-malware) | Attacker having write access to the root of the system drive (C:\) places malicious file that is run as LocalSystem by the Anti-malware service. | Important | 1 | Likely to see reliable exploits developed within next 30 days.Unlikely to see wide-spread infection as low privileged users do not have permission to write to root of system drive by default. | To exploit this vulnerability, attacker must have permission to create a new file at the root of the system drive. (C:\malicious.exe) |
| MS13-030(SharePoint Server 2013) | On a SharePoint Server that has been upgraded from SharePoint 2010 to SharePoint 2013, an attacker able to legitimately authenticate to the SharePoint service may be able to access content in another user’s “My Site”. | Important | 1 | Likely to see reliable exploits developed within next 30 days.Unlikely to see wide-spread use of this vulnerability as it only affects SharePoint sites that were created in a non-default way. | Affects only “My Sites” created using the legacy user interface mode on a SharePoint Server 2013 that has been upgraded from SharePoint Server 2010.Sites created on a clean/new installation of SharePoint Server 2013 or sites created using the default user interface after a SharePoint Server upgrade are not affected. |
| MS13-033(CSRSS) | Attacker who is already running code on a Windows Server 2003 system configured in non-default “basevideo” mode may be able to use this vulnerability to elevate from low-privileged account to SYSTEM. Other configurations vulnerable to denial of service (system bugcheck). | Important | 1 | Likely to see reliable exploits developed within next 30 days.Unlikely to see wide-spread infection as only non-default scenario affected for potential code execution. | As seen in the bulletin, several platforms are vulnerable to a local, post-auth denial of service condition. However, only Windows Server 2003 with /basevideo configured at boot is vulnerable to code execution vulnerability. |
| MS13-035(SafeHTML) | Attacker submits malicious HTML to a server, bypassing SafeHTML’s sanitization code. The malicious HTML is subsequently displayed to a victim, resulting in potential elevation of privilege for the attacker. | Important | 3 | Unlikely to see exploit for reliable code execution against products being updated in next 30 days. | We have seen limited, targeted attacks attempting to leverage this vulnerability against Microsoft online services. No known attacks against the products being addressed by MS13-035. |
- Jonathan Ness, MSRC Engineering