Today we released six security bulletins addressing 19 CVE’s. Four of the bulletins have a maximum severity rating of Critical, one has a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
(Windows drivers [win32k.sys])
The third (CVE-2012-2897) has a theoretical remote code execution attack vector in that TTF fonts can be embedded in both Office documents and PDF files and are also rendered by third party browsers. However, we have been unable trigger this particular vulnerable code path via any remote attack vectors in our experiments.
(Internet Information Services [IIS])
Info disclosure only. No code execution.
- Jonathan Ness, MSRC Engineering