Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability rating | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS13-047(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | 19 CVE’s being addressed. |
| MS13-051(Office 2003) | Victim opens malicious Office document. | Important | 1 | Limited, targeted attacks seen exploiting single CVE addressed by this update. | Affects Office 2003 and Office for Mac 2011. See this SRD blog post for more information about the attacks. |
| MS13-049(Windows networking) | Attacker establishes thousands of connections of a certain type to victim listening on a TCP/IP port, exhausting non-paged pool memory. This causes a denial of service condition where networking stack (or entire system) must be restarted. | Important | 3 | No chance for direct code execution. Denial of service only. | Can only be triggered from the local machine on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Rated Moderate on those platforms. |
| MS13-050(Print spooler) | Attacker who is already running code on a machine uses this vulnerability to elevate from low-privileged account to SYSTEM. | Important | 1 | Likely to see reliable exploits developed for denial-of-service within next 30 days. | |
| MS13-048(Windows kernel) | Attacker who is already running code on a machine uses this vulnerability to bugcheck machine or leak kernel memory addresses. | Important | 3 | No chance for direct code execution. Denial of service or information disclosure only. |
- Jonathan Ness, MSRC Engineering