Assessing risk for the January 2013 security updates - Security Research & Defense - Site Home

Today we released seven security bulletins addressing 12 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin	Most likely attack vector	Max Bulletin Severity	Max Exploit-ability Index	Likely first 30 days impact	Platform mitigations and key notes
MS13-002 (MSXML)	Victim browses to a malicious webpage.	Critical	1	Likely to see reliable exploits developed within next 30 days.
MS13-001 (Print Spooler service)	Attacker sends malicious print job to shared printer. Other workstations subsequently query information about the malicious print job using third party software, triggering vulnerability.	Critical	1	Likely to see reliable exploits developed within next 30 days. Less likely to see wide-spread attacks due to no default attack vector.	Vulnerability not triggered when printing or querying printer information using built-in Windows components. See this blog post for additional information.
MS13-004 (.NET Framework)	Victim browses to a malicious intranet webpage that offers an XBAP application.	Important	1	Vulnerability itself is exploitable (hence the “1” rating). However, XBAP is disabled on IE9 and also in the Internet Zone on earlier versions of Internet Explorer. Therefore, less likely to see wide-spread exploitation.
MS13-005 (win32k.sys)	Attacker running code on a machine already in a restricted context uses this vulnerability to send Windows messages to other applications that otherwise would be restricted.	Important	1	Likely to see reliable exploits developed within next 30 days.	Does not grant direct code execution. May be useful as first step of a multi-stage attack.
MS13-006 (SSLv3 downgrade)	Victim browses to a trusted website via HTTPS. A malicious attacker positioned on the network as a man-in-the-middle under certain circumstances can potentially downgrade encryption to an easier-to-decrypt protocol.	Important	1	Likely to see reliable exploits developed within next 30 days.	Attacker must be man-in-the-middle on the network to leverage this vulnerability. Attacker must also separately exploit a weakness in SSLv2 to decrypt traffic.
MS13-003 (System Center Operations Manager)	Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on a SCOM server for which they have access rights. When the victim clicks the link, an automatic action is taken on their behalf on the SCOM server that they otherwise might not have wanted to execute.	Important	1	Likely to see reliable exploits developed within next 30 days.	Script execution would be within context of SCOM application (not on Windows itself).
MS13-007 (Open Data protocol application-level denial-of-service)	Attacker sends malicious OData filter query to web application implementing OData protocol causing temporary application-level denial-of-service due to resource exhaustion (CPU & memory).	Important	n/a	Denial of service only.

- Jonathan Ness and Gangadhara Swamy, MSRC Engineering