Today we released eight security bulletins addressing 23 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
| Bulletin | Most likely attack vector | Max Bulletin Severity | Max Exploit-ability Index | Likely first 30 days impact | Platform mitigations and key notes |
|---|---|---|---|---|---|
| MS13-059(Internet Explorer) | Victim browses to a malicious webpage. | Critical | 1 | Likely to see reliable exploits developed within next 30 days. | Also addresses the ASLR bypass used as part of one of the CanSecWest pwn2own exploits (IE9 broker issue used in the VUPEN Adobe Flash exploit). |
| MS13-060(Unicode font in browser) | Victim with Indic language pack installed browses to a malicious webpage. | Critical | 2 | Less likely to see reliable exploit code within 30 days. | Affects only Windows XP and Windows 2003 machines where the Bangali font is installed. More detail here: http://www.bhashaindia.com/ilit/GettingStarted.aspx?languageName=Tamil |
| MS13-061(Oracle Outside In for Exchange) | Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page. | Critical | 2 | Less likely to see reliable exploit code within 30 days. | Addresses Oracle Outside In issues included in the Oracle July 2013 security update: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html |
| MS13-063(Kernel) | Attacker who is already running code on a machine uses this vulnerability to elevate from low-privileged account to SYSTEM. | Important | 1 | Likely to see reliable exploits developed within next 30 days. | Also addresses CVE-2013-2556, the LdrHotPatchRoutine Windows ASLR bypass used as part of a CanSecWest pwn2own exploit. You can read more about that aspect of this update in this SRD blog post. |
| MS13-062(RPC) | Attacker on the same machine as a higher-privileged user making asynchronous RPC requests to a remote resource may be able to have RPC request executed as the higher-privileged user. (Example: print server scenario where higher privileged user is continually submitting print jobs) | Important | 1 | Likely to see reliable exploits developed within next 30 days. However, limited scenarios in which attack could be used. | This is a post-auth race condition attack with several pre-conditions. Difficult to trigger reliably. |
| MS13-066(Active Directory Federated Services) | Attacker can leverage information leak to lock out service account used by ADFS, denying service to users. | Important | 3 | Denial of service only. | |
| MS13-065(ICMP) | Attacker send malicious ICMP packet causing denial-of-service on victim recipient. | Important | 3 | Denial of Service only. | Difficult to reproduce this one. Likely will require third party driver installed and packet stored in memory aligned with the page boundary. |
| MS13-064(NAT driver) | Attacker can send malicious network attack against Direct Access server causing denial-of-service. | Important | 3 | Denial of Service only. | Only affects machines running WinNat service. This service was first introduced with Windows Server 2012 and is off by default. |
- Jonathan Ness, MSRC Engineering