This month we release eight bulletins – four Critical and four Important – which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083.
Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).
MS13-080 | Cumulative Security Update for Internet Explorer
This security update resolves 9* issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer, as described in Microsoft Security Advisory 2887505. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer. All but one of these issues were privately disclosed.
MS13-081 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
This security update resolves seven issues in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views a malicious webpage with specially crafted OpenType fonts. This release also addresses vulnerabilities that could allow elevation of privilege if an attacker gains access to a system, in some cases physical access to a USB port is required. These issues were privately reported and we have not detected any attacks or customer impact.
MS13-083 | Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
This security update resolves one issue in Microsoft Windows. The vulnerability could allow remote code execution if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This issue was privately reported and we have not detected any attacks or customer impact.
Security Advisory 2862973 Update for MD5 Certificates
We would like to remind customers of the Update for MD5 Certificates that was released in August 2013 and will be released through Microsoft Update in February 2014. This update affects applications and services using certificates with the MD5 hashing algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. This will apply only to certificates utilized for server authentication, code signing and time stamping. These applications and services will no longer trust certificates utilizing MD5.
Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, October 9, 2013, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisory.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
I look forward to hearing your questions in the webcast tomorrow.
Group Manager, Response Communications
Microsoft Trustworthy Computing
*Updated CVE count to accurately reflect the correct number which is 25. This is a documentation error and there is no known impact to customers.