Today we released twelve security bulletins. Three have a maximum severity rating of Critical and nine have a maximum severity rating of Important. This release addresses three publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
1 - Attacker already running code locally in the context of a service account (IIS, SQL, etc) elevates privileges on the network.
2 - Man-in-the-middle attacker able to sniff and modify traffic on the wire causes encryption downgrade to DES, cracks the encryption, and impersonates the user who sent the traffic.
1 - Services running in the context of a low-privileged account cannot be used as initial vector of an exploit where this vulnerability is used. Domain controllers running Windows Server 2008 or later are not affected.
2 - Attacker must be able to sniff and modify traffic on the wire.
In addition to the twelve security updates, we are also releasing an advisory related to the Autorun functionality. This advisory describes a package live today on Windows Update that disables the Autorun functionality for removable, “non-shiny” media. You can read more about it in this blog post.
Thanks to Andrew Roths, Mark Wodrich, and the rest of the MSRC Engineering team for help with this post and the whole team for their work on this month's security updates.
Jonathan Ness, MSRC Engineering