Today we released ten security bulletins addressing 33 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS13-038(Internet Explorer 8) | Victim browses to a malicious webpage. | Critical | 1 | CVE-2013-1347 currently being exploited in active attacks. | Addresses the issue that was first discovered as an exploit on the US Department of Labor website. Includes the IE8 mshtml.dll from MS13-037 + one additional fix for CVE-2013-1347.Vulnerable code is also present in IE9 but not vulnerable in same way. Update for IE9 is included as defense-in-depth measure. |
| MS13-037(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | |
| MS13-039(HTTP.sys) | Attacker sends malicious HTTP request to victim IIS server, creating a resource exhaustion denial-of-service. | Important | 1 | Likely to see reliable exploits developed for denial-of-service within next 30 days. | Most likely target would be Windows Server 2012 web servers. Windows Server 2003, 2008, 2008 R2 not affected. |
| MS13-042(Publisher) | Victim opens malicious .PUB file | Important | 1 | Likely to see reliable exploits developed for denial-of-service within next 30 days. | 11 CVE’s affecting primarily Publisher 2003. One affects Publisher 2007 and Publisher 2010. None affect Publisher 2013. |
| MS13-046(Kernel mode drivers, win32k.sys and dxgkrnl.sys) | Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. | Important | 1 | Difficult to build reliable exploit code for this vulnerability. | |
| MS13-043(Word 2003) | Victim opens malicious .doc file | Important | 2 | Difficult to build reliable exploit code for this vulnerability. | Does not affect Word 2007, Word 2010, Word 2013, Word Web Apps, or Office for Mac. |
| MS13-041(Lync) | Victim accepts an incoming Lync chat invitation and then agrees to view a shared program or shared content presented by the attacker. | Important | 2 | Difficult to build reliable exploit code for this vulnerability. | Cannot be exploited via regular Lync chat. Requires victim agreeing to view shared content. |
| MS13-044(Visio) | Victim opens malicious SVG image on system where Visio is installed. Through a sequence of events, Visio can be tricked into automatically sending the contents of a local file to a remote server. | Important | 3 | No direct code execution. This is an information disclosure vulnerability only. | |
| MS13-045(Windows Writer) | Victim clicks on a malicious wlw:// URL, opening Windows Writer (blogging software) and causing it to potentially overwrite local files writable by the logged-in user. | Important | 3 | No direct code execution. | After clicking on the prompt, user prompted to open Windows Writer. Vulnerability can only be triggered after user agrees to open Windows Writer. |
| MS13-040(.NET Framework) | .NET Framework’s process to verify digital signature of XML can potentially be tricked into accepting unsigned XML as signed when first presented with signed XML. | Important | 3 | No direct code execution. This is a spoofing threat. |
- Jonathan Ness, MSRC Engineering