Assessing risk for the June 2013 security updates

Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max Exploit-ability rating

Likely first 30 days impact

Platform mitigations and key notes

MS13-047(Internet Explorer)

Victim browses to a malicious webpage.

Critical

1

Likely to see reliable exploits developed within next 30 days.

19 CVE’s being addressed.

MS13-051(Office 2003)

Victim opens malicious Office document.

Important

1

Limited, targeted attacks seen exploiting single CVE addressed by this update.

Affects Office 2003 and Office for Mac 2011. See this SRD blog post for more information about the attacks.

MS13-049(Windows networking)

Attacker establishes thousands of connections of a certain type to victim listening on a TCP/IP port, exhausting non-paged pool memory. This causes a denial of service condition where networking stack (or entire system) must be restarted.

Important

3

No chance for direct code execution. Denial of service only.

Can only be triggered from the local machine on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Rated Moderate on those platforms.

MS13-050(Print spooler)

Attacker who is already running code on a machine uses this vulnerability to elevate from low-privileged account to SYSTEM.

Important

1

Likely to see reliable exploits developed for denial-of-service within next 30 days.

MS13-048(Windows kernel)

Attacker who is already running code on a machine uses this vulnerability to bugcheck machine or leak kernel memory addresses.

Important

3

No chance for direct code execution. Denial of service or information disclosure only.

- Jonathan Ness, MSRC Engineering