Assessing risk for the November 2012 security updates

Today we released six security bulletins addressing 19 CVE’s. Four of the bulletins have a maximum severity rating of Critical, one has a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Rating Likely first 30 days impact Platform mitigations and key notes
(Internet Explorer)
Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Internet Explorer versions 6, 7, 8, and 10 not affected. Only affects Internet Explorer 9.

(Windows drivers [win32k.sys])

Most likely attack vector is an attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. Critical 1 Likely to see an exploit released granting a local attacker SYSTEM level access. Two of the three CVE’s usable for local elevation of privilege only.

The third (CVE-2012-2897) has a theoretical remote code execution attack vector in that TTF fonts can be embedded in both Office documents and PDF files and are also rendered by third party browsers. However, we have been unable trigger this particular vulnerable code path via any remote attack vectors in our experiments.


(.NET Framework)

Attacker on the local intranet able to respond to requests initiated by a .NET Framework application sent to the proxy server (or to a host named wpad when proxy server is unspecified) supplies a PAC file containing malicious Javascript which is executed on the victim workstation. Critical 1 Likely to see reliable exploits developed within next 30 days. CVE-2012-4776 is rated Critical due to the lack of user interaction required to trigger the vulnerability. However, realistic attack scenarios will likely require the proxy to be set to be automatically detected, will require the victim using a .NET application that leverages System.Net.WebRequest, and will likely require an attacker on the local intranet to host or man-in-the-middle the proxy response. You can read more detail about this vulnerability and the attack scenario here.

(Windows Shell)

Victim navigates to a malicious WebDAV or SMB share and previews a malicious Windows briefcase folder. Critical 1 Likely to see reliable exploits developed within next 30 days.  


Victim opens a malicious .XLS file, resulting in potential code execution in the context of the logged-in user. Important 1 Likely to see reliable exploits developed within next 30 days. Excel 2013 not affected.

(Internet Information Services [IIS])

Attacker having access to IIS server’s operational log after an administrator has enabled Configuration Auditing may be able to access cleartext password of the user under which the IIS AppPool runs. Moderate N/A No chance for code execution. Likely to see descriptions of this information-disclosure vulnerability publicly within next 30 days. Non-default scenario for IIS 7.5 and later server.

Info disclosure only. No code execution.

– Jonathan Ness, MSRC Engineering