Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max XI Likely first 30 days impact Platform mitigations and key notes
MS13-096

(GDI+ TIFF parsing)

Victim opens malicious Office document. Critical 1 Likely to continue seeing Office document attacks leveraging CVE-2013-3906. Addresses vulnerability first described in Security Advisory 2896666. More information about these attacks described in this SRD blog post from November.

MS13-097

(Internet Explorer)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Address five remote code execution and two elevation of privilege vulnerabilities. The elevation of privilege vulnerabilities could be used by an attacker to elevate out of Internet Explorer’s Protected Mode after already achieving code execution within that environment.

MS13-099

(VBScript)

Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Not a vulnerability in the browser directly – however, the Scripting.Dictionary ActiveX control is on the pre-approved list and is allowed to load without prompt.

MS13-105

(Exchange)

Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page. Critical 1 Likely to see reliable exploits developed within next 30 days. Addresses Oracle Outside In issues included in the October 2013 security update: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

MS13-098

(Authenticode)

Victim computer infected because user runs / double-clicks a malicious installer that had been signed by a trusted 3rd party and subsequently altered by an attacker to download a malicious executable. Critical 1 Limited, targeted attacks expected to continue in next 30 days. This issue relies on user first choosing to run a malicious binary. More information on scope of this issue and additional hardening provided by the security update here: http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspx

MS13-100

(SharePoint)

Attacker able to authenticate to vulnerable SharePoint server sends blob of data that is incorrectly de-serialized resulting in potential code execution server-side. Important 1 Likely to see reliable exploits developed within next 30 days. Successful attack elevates authenticated user to W3WP service account on the SharePoint site.

MS13-101

(Kernel mode drivers)

Attacker running code at low privilege runs exploit binary to elevate to SYSTEM. Important 1 Likely to see reliable exploits developed within next 30 days. Addresses primarily win32k.sys local elevation of privilege vulnerabilities. The font case also being addressed results in denial-of-service only, not code execution.

MS13-102

(LPC)

Attacker running code at low privilege on Windows XP or Windows Server 2003 runs exploit binary to elevate to SYSTEM. Important 1 Likely to see reliable exploits developed within next 30 days. Does not affect Windows Vista or any later versions of Windows.

MS13-106

(hxds.dll ASLR mitigation bypass)

Attacker combines this vulnerability with a (separate) code execution vulnerability to compromise a system. Important n/a This issue has been leveraged as an exploit component in several real-world browser-based attacks. This vulnerability does not result in code execution directly. However, it is a component attackers use to bypass ASLR. Applying this security update will disrupt a number of in-the-wild exploits even in cases where an update is not applied for a code execution vulnerability.

MS13-104

(Office)

Attacker sends victim a link to malicious server. If victim clicks the link, browser makes a request to Microsoft’s Office 365 server on behalf of the victim in such a way that a user token is captured by the malicious server, allowing owner of the malicious server to log in to SharePoint Online the same way the victim user would have been able to log in. Important n/a This issue was reported to us by Adallom after they detected targeted attacks leveraging this vulnerability. Affects customers who use Office 2013 to access the Office 365 SharePoint Online multi-tenant service.

MS13-103

(SignalR)

Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on an Intranet Visual Studio Team Foundation Server (TFS) for which they have access rights. If the victim clicks the link, an automatic action is taken on their behalf on the TFS server that they otherwise might not have wanted to execute. Important 1 Likely to see reliable exploits developed within next 30 days.  

- Jonathan Ness, MSRC's engineering team