Today we released ten security bulletins addressing 33 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes
MS13-038

(Internet Explorer 8)

Victim browses to a malicious webpage. Critical 1 CVE-2013-1347 currently being exploited in active attacks. Addresses the issue that was first discovered as an exploit on the US Department of Labor website. Includes the IE8 mshtml.dll from MS13-037 + one additional fix for CVE-2013-1347.

Vulnerable code is also present in IE9 but not vulnerable in same way. Update for IE9 is included as defense-in-depth measure.

MS13-037

(Internet Explorer)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days.  
MS13-039

(HTTP.sys)

Attacker sends malicious HTTP request to victim IIS server, creating a resource exhaustion denial-of-service. Important 1 Likely to see reliable exploits developed for denial-of-service within next 30 days. Most likely target would be Windows Server 2012 web servers. Windows Server 2003, 2008, 2008 R2 not affected.
MS13-042

(Publisher)

Victim opens malicious .PUB file Important 1 Likely to see reliable exploits developed for denial-of-service within next 30 days. 11 CVE’s affecting primarily Publisher 2003. One affects Publisher 2007 and Publisher 2010. None affect Publisher 2013.
MS13-046

(Kernel mode drivers, win32k.sys and dxgkrnl.sys)

Attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. Important 1 Difficult to build reliable exploit code for this vulnerability.  
MS13-043

(Word 2003)

Victim opens malicious .doc file Important 2 Difficult to build reliable exploit code for this vulnerability. Does not affect Word 2007, Word 2010, Word 2013, Word Web Apps, or Office for Mac.
MS13-041

(Lync)

Victim accepts an incoming Lync chat invitation and then agrees to view a shared program or shared content presented by the attacker. Important 2 Difficult to build reliable exploit code for this vulnerability. Cannot be exploited via regular Lync chat. Requires victim agreeing to view shared content.
MS13-044

(Visio)

Victim opens malicious SVG image on system where Visio is installed. Through a sequence of events, Visio can be tricked into automatically sending the contents of a local file to a remote server. Important 3 No direct code execution. This is an information disclosure vulnerability only.  
MS13-045

(Windows Writer)

Victim clicks on a malicious wlw:// URL, opening Windows Writer (blogging software) and causing it to potentially overwrite local files writable by the logged-in user. Important 3 No direct code execution. After clicking on the prompt, user prompted to open Windows Writer. Vulnerability can only be triggered after user agrees to open Windows Writer.
MS13-040

(.NET Framework)

.NET Framework’s process to verify digital signature of XML can potentially be tricked into accepting unsigned XML as signed when first presented with signed XML. Important 3 No direct code execution. This is a spoofing threat.  

- Jonathan Ness, MSRC Engineering