Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely first 30 days impact Platform mitigations and key notes
MS13-047

(Internet Explorer)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. 19 CVE’s being addressed.
MS13-051

(Office 2003)

Victim opens malicious Office document. Important 1 Limited, targeted attacks seen exploiting single CVE addressed by this update. Affects Office 2003 and Office for Mac 2011. See this SRD blog post for more information about the attacks.
MS13-049

(Windows networking)

Attacker establishes thousands of connections of a certain type to victim listening on a TCP/IP port, exhausting non-paged pool memory. This causes a denial of service condition where networking stack (or entire system) must be restarted. Important 3 No chance for direct code execution. Denial of service only. Can only be triggered from the local machine on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Rated Moderate on those platforms.
MS13-050

(Print spooler)

Attacker who is already running code on a machine uses this vulnerability to elevate from low-privileged account to SYSTEM. Important 1 Likely to see reliable exploits developed for denial-of-service within next 30 days.  
MS13-048

(Windows kernel)

Attacker who is already running code on a machine uses this vulnerability to bugcheck machine or leak kernel memory addresses. Important 3 No chance for direct code execution. Denial of service or information disclosure only.  

- Jonathan Ness, MSRC Engineering