Assessing risk for the February 2013 security updates - Security Research & Defense - Site Home

Today we released twelve security bulletins addressing 57 CVE’s. Five of the bulletins have a maximum severity rating of Critical, and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin	Most likely attack vector	Max Bulletin Severity	Max Exploit-ability rating	Likely first 30 days impact	Platform mitigations and key notes
MS13-010 (VML)	Victim browses to a malicious webpage.	Critical	1	Has been leveraged as an address leak vulnerability in targeted attacks. Likely to see additional usage in next 30 days either as an info leak or potentially as a code execution vulnerability.	VGX.dll only recently included in Internet Explorer cumulative updates. DLL originally shipped as an Office component. Depending on platform, MS13-009 may also include the fix. To be sure fix is available for all platforms, WU detection logic targets MS13-010 for all platforms, even those where MS13-009 is already installed.
MS13-009 (Internet Explorer)	Victim browses to a malicious webpage.	Critical	1	Likely to see reliable exploits developed within next 30 days.
MS13-020 (OLEAUT32)	Victim opens a malicious RTF file with an embedded ActiveX control in either Word or Wordpad, resulting in potential code execution in the context of the logged-on user.	Critical	1	Likely to see reliable exploits developed within next 30 days.	Document-style attacks typically rated ‘Important’. However, this vulnerability in OLEAUT32.dll’s core memory management functions likely to be used by third party ActiveX controls. While we have not identified any Microsoft browser-based attack vector, third party ActiveX controls likely to expose this vulnerability within the browser.
MS13-011 (Windows Media)	Victim with a third party codec installed browses to a malicious webpage.	Critical	1	Likely to see reliable exploits developed within next 30 days. Less likely to see wide-spread attacks due to third party codec requirement.	Vulnerability cannot be triggered without third party codec installed.
MS13-012 (Oracle Outside In for Exchange)	Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.	Critical	2	Difficult to build reliable exploit code for these vulnerabilities.	Oracle Outside In process runs at a lower privilege level, LocalService. For more background information, please see this SRD blog post.
MS13-015 (.NET Framework)	Victim browses to a malicious intranet webpage that offers an XBAP or ClickOnce application.	Important	1	Vulnerability itself is exploitable (hence the “1” rating). However, XBAP is disabled on IE9 and also in the Internet Zone on earlier versions of Internet Explorer. Therefore, less likely to see wide-spread exploitation.
MS13-016 (Windows drivers [win32k.sys])	Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM.	Important	2	Difficult to build reliable exploit code for these vulnerabilities.	Same vulnerability present in 30 different win32k.sys functions, leading to high (30) CVE count.
MS13-017 (Windows kernel)	Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM.	Important	1	Likely to see reliable exploit code developed within next 30 days.
MS13-019 (CSRSS)	Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM.	Important	1	Difficult to build reliable exploit code for this vulnerability.
MS13-013 (FAST Search Server for Sharepoint)	Attacker having permission to upload malicious content to a Sharepoint server does so, which is indexed by FAST Search Server, resulting in potential code execution in context of the restricted token used by the indexing service.	Important	1	Likely to see reliable exploits developed within next 30 days.	The SharePoint Advanced Filter Pack that leverages Oracle Outside In technology for indexing is not enabled by default. The process that SharePoint uses for indexing when it is enabled runs with a restricted token similar to the Office 2010 Protected View sandbox. For more information, please see this SRD blog post.
MS13-018 (TCP/IP)	Attacker creates millions of TCP/IP connections to victim server in such a way that victim initiates connection teardown for each by sending FIN to attacker. Over time, victim’s non-paged pool is exhausted and victim is unable to create new network connections.	Important	n/a	Denial of Service only.	Denial of service only – no chance for code execution. For more background on this issue, please see this SRD blog post.
MS13-014 (NFS server role)	Attacker triggers denial of service condition on Windows server on which NFS server role has been activated.	Important	n/a	Denial of Service only.	Does not affect servers without NFS server role.

- Jonathan Ness, MSRC Engineering