Today we released four security bulletins addressing 42 unique CVE’s. One bulletin has a maximum severity rating of Critical and the other three have maximum severity Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploitability Index Rating||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||0
Exploitation of CVE-2013-7331 detected in the wild as an information disclosure to determine whether EMET or a third party anti-malware product is installed prior to launching exploit for different vulnerability.
|No remote code execution vulnerabilities being addressed in this update are known to be under active attack.|
|Attacker running code at low privilege runs exploit binary to elevate to SYSTEM.||Important||1|
|Attacker causes compute resource exhaustion denial of service on ASP.NET webserver by sending maliciously crafted HTTP/HTTPS requests.||Important||3||Systems only affected if ASP.NET is explicitly installed, enabled, and registered with IIS.|
|Attacker causes Lync server to fail by sending maliciously crated SIP invite requests to victim Lync server.||Important||3||Vulnerability is remote, unauthenticated denial-of-service but attacker must first have access to information present in a valid Lync Server meeting request.|
– Jonathan Ness, MSRC