| Bulletin ID: MS13-106 |
Title: Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass (2905238) |
Update Type: Security Update |
Severity: Important |
Date: 2013-12-10 |
| Description: This security update resolves one publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code. | ||||
| Vulnerabilities: CVE-2013-5057 |
Included Updates: 2850016 2850022 2905238 |
Applies to: Microsoft Office 2007 Microsoft Office 2010 |
||
| Bulletin ID: MS13-105 |
Title: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-12-10 |
| Description: This security update resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network. | ||||
| Vulnerabilities: CVE-2013-1330 CVE-2013-5072 CVE-2013-5763 CVE-2013-5791 |
Included Updates: 2880833 2903903 2903911 2905616 2915705 |
Applies to: Microsoft Server Software |
||
| Bulletin ID: MS13-104 |
Title: Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976) |
Update Type: Security Update |
Severity: Important |
Date: 2013-12-10 |
| Description: This security update resolves one privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site. | ||||
| Vulnerabilities: CVE-2013-5054 |
Included Updates: 2850064 2909976 |
Applies to: Microsoft Office 2013 Microsoft Office 2013 RT |
||
| Bulletin ID: MS13-103 |
Title: Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege (2905244) |
Update Type: Security Update |
Severity: Important |
Date: 2013-12-10 |
| Description: This security update resolves a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user. | ||||
| Vulnerabilities: CVE-2013-5042 |
Included Updates: 2903566 2905244 |
Applies to: |
||
| Bulletin ID: MS13-102 |
Title: Vulnerability in LRPC Client Could Allow Elevation of Privilege (2898715) |
Update Type: Security Update |
Severity: Important |
Date: 2013-12-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client. An attacker who successfully exploited the vulnerability could then install programs; view, change, or delete data; or create new accounts with full administrator rights. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
| Vulnerabilities: CVE-2013-3878 |
Included Updates: 2898715 |
Applies to: Windows Server 2003 Windows XP |
||
| Bulletin ID: MS13-101 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) |
Update Type: Security Update |
Severity: Important |
Date: 2013-12-10 |
| Description: This security update resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
| Vulnerabilities: CVE-2013-3899 CVE-2013-3902 CVE-2013-3903 CVE-2013-3907 CVE-2013-5058 |
Included Updates: 2880430 2887069 2893984 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
||
| Bulletin ID: MS13-100 |
Title: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2904244) |
Update Type: Security Update |
Severity: Important |
Date: 2013-12-10 |
| Description: This security update resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account on the target SharePoint site. | ||||
| Vulnerabilities: CVE-2013-5059 |
Included Updates: 2553298 2837629 2837631 2850058 2904244 2910228 |
Applies to: Microsoft SharePoint Server 2013 |
||
| Bulletin ID: MS13-099 |
Title: Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution (2909158) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-12-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-5056 |
Included Updates: 2892074 2892075 2892076 2909158 |
Applies to: Server Core installation option Windows 2008 R2 Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
||
| Bulletin ID: MS13-096 |
Title: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-12-10 |
| Description: This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. | ||||
| Vulnerabilities: CVE-2013-3906 |
Included Updates: 2817641 2817670 2850047 2850057 2899395 2899397 2901674 2908005 |
Applies to: Server Core installation option Windows Server 2008 Windows Vista |
||
| Bulletin ID: MS13-094 |
Title: Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514) |
Update Type: Security Update |
Severity: Important |
Date: 2013-11-12 |
| Description: This security update resolves a publicly disclosed vulnerability in Microsoft Outlook. The vulnerability could allow information disclosure if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. An attacker who successfully exploited this vulnerability could ascertain system information, such as the IP address and open TCP ports, from the target system and other systems that share the network with the target system. | ||||
| Vulnerabilities: CVE-2013-3905 |
Included Updates: 2825644 2837597 2837618 2894514 |
Applies to: Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 2013 RT |
||
| Bulletin ID: MS13-093 |
Title: Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783) |
Update Type: Security Update |
Severity: Important |
Date: 2013-11-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker logs on to an affected system as a local user, and runs a specially crafted application on the system that is designed to enable the attacker to obtain information from a higher-privileged account. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
| Vulnerabilities: CVE-2013-3887 |
Included Updates: 2875783 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-092 |
Title: Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986) |
Update Type: Security Update |
Severity: Important |
Date: 2013-11-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor. The vulnerability could also allow denial of service for the Hyper-V host if the attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor. | ||||
| Vulnerabilities: CVE-2013-3898 |
Included Updates: 2893986 |
Applies to: Server Core installation option Windows 8 Windows Server 2012 |
||
| Bulletin ID: MS13-091 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093) |
Update Type: Security Update |
Severity: Important |
Date: 2013-11-12 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted WordPerfect document file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-0082 CVE-2013-1324 CVE-2013-1325 |
Included Updates: 2553284 2760415 2760494 2760781 2768005 2885093 |
Applies to: Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 |
||
| Bulletin ID: MS13-089 |
Title: Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-11-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3940 |
Included Updates: 2876331 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows 8.1 Windows RT Windows RT 8.1 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Vista Windows XP |
||
| Bulletin ID: MS13-087 |
Title: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) |
Update Type: Security Update |
Severity: Important |
Date: 2013-10-08 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow information disclosure if an attacker hosts a website that contains a specially crafted Silverlight application that is designed to exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. | ||||
| Vulnerabilities: CVE-2013-3896 |
Included Updates: 2890788 |
Applies to: |
||
| Bulletin ID: MS13-086 |
Title: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084) |
Update Type: Security Update |
Severity: Important |
Date: 2013-10-08 |
| Description: This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3891 CVE-2013-3892 |
Included Updates: 2826020 2827329 2827330 2885084 |
Applies to: Microsoft Office 2003 Microsoft Office 2007 Other Office Software |
||
| Bulletin ID: MS13-085 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080) |
Update Type: Security Update |
Severity: Important |
Date: 2013-10-08 |
| Description: This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3889 CVE-2013-3890 |
Included Updates: 2760585 2760591 2817623 2826023 2826033 2826035 2827238 2827324 2827326 2827328 2885080 |
Applies to: Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 2013 RT Microsoft Office for Mac Other Microsoft Office Software |
||
| Bulletin ID: MS13-084 |
Title: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089) |
Update Type: Security Update |
Severity: Important |
Date: 2013-10-08 |
| Description: This security update resolves two privately reported vulnerabilities in Microsoft Office server software. The most severe vulnerability could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps. | ||||
| Vulnerabilities: CVE-2013-3889 CVE-2013-3895 |
Included Updates: 2589365 2596741 2752002 2760561 2826022 2826028 2826029 2826030 2826036 2827222 2827327 2885089 |
Applies to: Microsoft SharePoint Server 2007 Service Pack 3 Microsoft SharePoint Server 2010 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2013 |
||
| Bulletin ID: MS13-083 |
Title: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-10-08 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted web request to an ASP.NET web application running on an affected system. An attacker could exploit this vulnerability without authentication to run arbitrary code. | ||||
| Vulnerabilities: CVE-2013-3195 |
Included Updates: 2864058 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-082 |
Title: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-10-08 |
| Description: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft .NET Framework. The most severe of the vulnerabilities could allow remote code execution if a user visits a website containing a specially crafted OpenType font (OTF) file using a browser capable of instantiating XBAP applications. | ||||
| Vulnerabilities: CVE-2013-3128 CVE-2013-3860 CVE-2013-3861 |
Included Updates: 2858302 2861188 2861189 2861190 2861191 2861193 2861194 2861208 2861697 2861698 2861702 2861704 2863239 2863240 2863243 2863253 2878890 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-080 |
Title: Cumulative Security Update for Internet Explorer (2879017) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-10-08 |
| Description: This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3893 |
Included Updates: 2879017 2884101 |
Applies to: Internet Explorer 10 Internet Explorer 11 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
||
| Bulletin ID: MS13-034 |
Title: Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482) |
Update Type: Security Update |
Severity: Important |
Date: 2013-10-08 |
| Description: This security update resolves a privately reported vulnerability in the Microsoft Antimalware Client. The vulnerability could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users. | ||||
| Vulnerabilities: CVE-2013-0078 |
Included Updates: 2781197 2823482 |
Applies to: |
||
| Bulletin ID: MS13-074 |
Title: Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-13 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Access file with an affected version of Microsoft Access. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: |
Included Updates: 2596825 2687423 2810009 2848637 |
Applies to: |
||
| Bulletin ID: MS13-073 |
Title: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-13 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-1315 CVE-2013-3158 CVE-2013-3159 |
Included Updates: 2760583 2760588 2760590 2760597 2768017 2810048 2858300 |
Applies to: Components Microsoft Office Suites Microsoft Office for Mac Other Microsoft Office Software |
||
| Bulletin ID: MS13-072 |
Title: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-13 |
| Description: This security update resolves 13 privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3160 CVE-2013-3847 CVE-2013-3848 CVE-2013-3849 CVE-2013-3857 CVE-2013-3858 |
Included Updates: 2597973 2760411 2760769 2760823 2767773 2767913 2817474 2817682 2817683 2845537 |
Applies to: Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2010 Other Office Software |
||
| Bulletin ID: MS13-067 |
Title: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-09-13 |
| Description: This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Microsoft Office Server software. The most severe vulnerability could allow remote code execution in the context of the W3WP service account if an attacker sends specially crafted content to the affected server. | ||||
| Vulnerabilities: CVE-2013-0081 CVE-2013-1315 CVE-2013-1330 CVE-2013-3179 CVE-2013-3180 CVE-2013-3847 CVE-2013-3848 CVE-2013-3849 CVE-2013-3857 CVE-2013-3858 |
Included Updates: 2553408 2760420 2760589 2760594 2760595 2760755 2810061 2810067 2810083 2817305 2817315 2817372 2817384 2817393 2834052 |
Applies to: Microsoft SharePoint Portal Server 2003 Service Pack 3 Microsoft SharePoint Server 2007 Service Pack 3 Microsoft SharePoint Server 2010 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2013 |
||
| Bulletin ID: MS13-079 |
Title: Vulnerability in Active Directory Could Allow Denial of Service (2853587) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-11 |
| Description: This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service. | ||||
| Vulnerabilities: CVE-2013-3868 |
Included Updates: 2853587 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
||
| Bulletin ID: MS13-076 |
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-11 |
| Description: This security update resolves seven privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. | ||||
| Vulnerabilities: CVE-2013-3866 |
Included Updates: 2876315 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-078 |
Title: Vulnerability in FrontPage Could Allow Information Disclosure (2825621) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft FrontPage. The vulnerability could allow information disclosure if a user opens a specially crafted FrontPage document. The vulnerability cannot be exploited automatically; for an attack to be successful a user must be convinced to open the specially crafted document. | ||||
| Vulnerabilities: CVE-2013-3137 |
Included Updates: 2825621 |
Applies to: |
||
| Bulletin ID: MS13-077 |
Title: Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker convinces an authenticated user to execute a specially crafted application. To exploit this vulnerability, an attacker either must have valid logon credentials and be able to log on locally or must convince a user to run the attacker's specially crafted application. | ||||
| Vulnerabilities: CVE-2013-3862 |
Included Updates: 2872339 |
Applies to: Server Core installation option Updates Replaced Windows 7 Windows Server 2008 R2 |
||
| Bulletin ID: MS13-075 |
Title: Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged on attacker launches Internet Explorer from the toolbar in Microsoft Pinyin IME for Simplified Chinese. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected. | ||||
| Vulnerabilities: CVE-2013-3859 |
Included Updates: 2687413 2878687 |
Applies to: Components Microsoft Office Suites |
||
| Bulletin ID: MS13-071 |
Title: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) |
Update Type: Security Update |
Severity: Important |
Date: 2013-09-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user applies a specially crafted Windows theme on their system. In all cases, a user cannot be forced to open the file or apply the theme; for an attack to be successful, a user must be convinced to do so. | ||||
| Vulnerabilities: CVE-2013-0810 |
Included Updates: 2864063 |
Applies to: Windows Server 2003 Windows Server 2008 Windows Vista Windows XP |
||
| Bulletin ID: MS13-070 |
Title: Vulnerability in OLE Could Allow Remote Code Execution (2876217) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-09-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3863 |
Included Updates: 2876217 |
Applies to: Windows Server 2003 Windows XP |
||
| Bulletin ID: MS13-068 |
Title: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-09-10 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Outlook. The vulnerability could allow remote code execution if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3870 |
Included Updates: 2756473 2794707 2825999 |
Applies to: |
||
| Bulletin ID: MS13-061 |
Title: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-08-27 |
| Description: This security update resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing uses the credentials of the LocalService account. The Data Loss Prevention feature hosts code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. The Filtering Management service in Exchange uses the credentials of the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network. | ||||
| Vulnerabilities: CVE-2013-2393 CVE-2013-3776 CVE-2013-3781 |
Included Updates: 2866475 2873746 2874216 2876063 |
Applies to: Microsoft Server Software |
||
| Bulletin ID: MS13-057 |
Title: Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-08-27 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3127 |
Included Updates: 2803821 2834902 2834903 2834904 2834905 2845142 2847883 |
Applies to: Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-066 |
Title: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872) |
Update Type: Security Update |
Severity: Important |
Date: 2013-08-19 |
| Description: This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance. | ||||
| Vulnerabilities: CVE-2013-3185 |
Included Updates: 2843638 2843639 2868846 2873872 |
Applies to: Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 |
||
| Bulletin ID: MS13-065 |
Title: Vulnerability in ICMPv6 could allow Denial of Service (2868623) |
Update Type: Security Update |
Severity: Important |
Date: 2013-08-13 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if the attacker sends a specially crafted ICMP packet to the target system. | ||||
| Vulnerabilities: CVE-2013-3183 |
Included Updates: 2868623 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
||
| Bulletin ID: MS13-064 |
Title: Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568) |
Update Type: Security Update |
Severity: Important |
Date: 2013-08-13 |
| Description: This security update resolves a privately reported vulnerability in the Windows NAT Driver in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted ICMP packet to a target server that is running the Windows NAT Driver service. | ||||
| Vulnerabilities: CVE-2013-3182 |
Included Updates: 2849568 |
Applies to: |
||
| Bulletin ID: MS13-063 |
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537) |
Update Type: Security Update |
Severity: Important |
Date: 2013-08-13 |
| Description: This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft Windows. The most severe vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users. | ||||
| Vulnerabilities: CVE-2013-2556 |
Included Updates: 2859537 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Vista Windows XP |
||
| Bulletin ID: MS13-062 |
Title: Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470) |
Update Type: Security Update |
Severity: Important |
Date: 2013-08-13 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker sends a specially crafted RPC request. | ||||
| Vulnerabilities: CVE-2013-3175 |
Included Updates: 2849470 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-060 |
Title: Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-08-13 |
| Description: This security update resolves a privately reported vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3181 |
Included Updates: 2850869 |
Applies to: Windows Server 2003 Windows XP |
||
| Bulletin ID: MS13-054 |
Title: Vulnerability in GDI+ Could Allow Remote Code Execution (2848295) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-08-13 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync, and Microsoft Visual Studio. The vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files. | ||||
| Vulnerabilities: CVE-2013-3129 |
Included Updates: 2687276 2687309 2817465 2817480 2834886 2835361 2835364 2843160 2843163 2848295 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-052 |
Title: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-08-13 |
| Description: This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a trusted application uses a particular pattern of code. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3129 CVE-2013-3131 CVE-2013-3132 CVE-2013-3133 CVE-2013-3134 CVE-2013-3171 CVE-2013-3178 |
Included Updates: 2832407 2832411 2832412 2832414 2832418 2833940 2833941 2833946 2833947 2833949 2833951 2833957 2833958 2833959 2835393 2835622 2840628 2840629 2840631 2840632 2840633 2840642 2844285 2844286 2844287 2844289 2847559 2861561 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-058 |
Title: Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927) |
Update Type: Security Update |
Severity: Important |
Date: 2013-07-09 |
| Description: This security update resolves a privately reported vulnerability in Windows Defender for Windows 7 and Windows Defender when installed on Windows Server 2008 R2. The vulnerability could allow elevation of privilege due to the pathnames used by Windows Defender. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users. | ||||
| Vulnerabilities: CVE-2013-3154 |
Included Updates: 2847927 |
Applies to: |
||
| Bulletin ID: MS13-056 |
Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-07-09 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted image file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-3174 |
Included Updates: 2845187 |
Applies to: Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-053 |
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-07-09 |
| Description: This security update resolves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. | ||||
| Vulnerabilities: CVE-2013-1300 CVE-2013-1340 CVE-2013-1345 CVE-2013-3129 CVE-2013-3167 CVE-2013-3172 CVE-2013-3173 CVE-2013-3660 |
Included Updates: 2850851 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-048 |
Title: Vulnerability in Windows Kernel Could Allow Information Disclosure (2839229) |
Update Type: Security Update |
Severity: Important |
Date: 2013-06-18 |
| Description: This security update resolves one privately reported vulnerability in Windows. The vulnerability could allow information disclosure if an attacker logs on to a system and runs a specially crafted application or convinces a local, logged-in user to run a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system. | ||||
| Vulnerabilities: CVE-2013-3136 |
Included Updates: 2839229 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Vista Windows XP |
||
| Bulletin ID: MS13-051 |
Title: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2839571) |
Update Type: Security Update |
Severity: Important |
Date: 2013-06-11 |
| Description: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Office document using an affected version of Microsoft Office software, or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-1331 |
Included Updates: 2817421 2839571 |
Applies to: |
||
| Bulletin ID: MS13-050 |
Title: Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege (2839894) |
Update Type: Security Update |
Severity: Important |
Date: 2013-06-11 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege when an authenticated attacker deletes a printer connection. An attacker must have valid logon credentials and be able to log on to exploit this vulnerability. | ||||
| Vulnerabilities: CVE-2013-1339 |
Included Updates: 2839894 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
||
| Bulletin ID: MS13-049 |
Title: Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (2845690) |
Update Type: Security Update |
Severity: Important |
Date: 2013-06-11 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends specially crafted packets to the server. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. | ||||
| Vulnerabilities: CVE-2013-3138 |
Included Updates: 2845690 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista |
||
| Bulletin ID: MS13-044 |
Title: Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-23 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user opens a specially crafted Visio file. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system. | ||||
| Vulnerabilities: CVE-2013-1301 |
Included Updates: 2596595 2810062 2810068 2834692 |
Applies to: |
||
| Bulletin ID: MS13-046 |
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-14 |
| Description: This security update resolves three privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. | ||||
| Vulnerabilities: CVE-2013-1332 CVE-2013-1333 CVE-2013-1334 |
Included Updates: 2829361 2830290 2840221 |
Applies to: Server Core Installation Option Windows 2008 R2 Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-043 |
Title: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-14 |
| Description: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or previews a specially crafted email message in an affected version of Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-1335 |
Included Updates: 2810046 2817361 2830399 |
Applies to: Components Microsoft Office Suites Other Microsoft Office Software |
||
| Bulletin ID: MS13-042 |
Title: Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-14 |
| Description: This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user open a specially crafted Publisher file with an affected version of Microsoft Publisher. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: |
Included Updates: 2553147 2597971 2810047 2830397 |
Applies to: Components Microsoft Office Suites |
||
| Bulletin ID: MS13-041 |
Title: Vulnerability in Lync Could Allow Remote Code Execution (2834695) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-14 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Lync. The vulnerability could allow remote code execution if an attacker shares specially crafted content, such as a file or program, as a presentation in Lync or Communicator and then convinces a user to accept an invitation to view or share the presentable content. In all cases, an attacker would have no way to force users to view or share the attacker-controlled file or program. Instead, an attacker would have to convince users to take action, typically by getting them to accept an invitation in Lync or Communicator to view or share the presentable content. | ||||
| Vulnerabilities: CVE-2013-1302 |
Included Updates: 2827750 2827752 2827753 2827754 2834695 |
Applies to: |
||
| Bulletin ID: MS13-040 |
Title: Vulnerabilities in .NET Framework Could Allow Spoofing (2836440) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-14 |
| Description: This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in the .NET Framework. The more severe of the vulnerabilities could allow spoofing if a .NET application receives a specially crafted XML file. An attacker who successfully exploited the vulnerabilities could modify the contents of an XML file without invalidating the file's signature and could gain access to endpoint functions as if they were an authenticated user. | ||||
| Vulnerabilities: CVE-2013-1336 CVE-2013-1337 |
Included Updates: 2804576 2804577 2804579 2804580 2804582 2804583 2804584 2836440 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows RT Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-039 |
Title: Vulnerability in HTTP.sys Could Allow Denial of Service (2829254) |
Update Type: Security Update |
Severity: Important |
Date: 2013-05-14 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client. | ||||
| Vulnerabilities: CVE-2013-1305 |
Included Updates: 2829254 |
Applies to: Server Core installation option Windows 2012 Windows 8 Windows RT |
||
| Bulletin ID: MS13-009 |
Title: Cumulative Security Update for Internet Explorer (2792100) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-05-14 |
| Description: This security update resolves thirteen privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-0015 |
Included Updates: 2792100 |
Applies to: Internet Explorer 10 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 |
||
| Bulletin ID: MS12-003 |
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) |
Update Type: Security Update |
Severity: Important |
Date: 2013-04-23 |
| Description: This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section. | ||||
| Vulnerabilities: CVE-2012-0005 |
Included Updates: 2646524 |
Applies to: Windows Server 2003 Windows Server 2003, Datacenter Edition Windows Server 2008 Windows Vista Windows XP Windows XP x64 Edition |
||
| Bulletin ID: MS13-035 |
Title: Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818) |
Update Type: Security Update |
Severity: Important |
Date: 2013-04-09 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user. | ||||
| Vulnerabilities: CVE-2013-1289 |
Included Updates: 2687421 2687422 2687424 2760406 2760408 2760777 2810059 2821818 |
Applies to: |
||
| Bulletin ID: MS13-033 |
Title: Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917) |
Update Type: Security Update |
Severity: Important |
Date: 2013-04-09 |
| Description: This security update resolves a privately reported vulnerability in all supported editions of Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. | ||||
| Vulnerabilities: CVE-2013-1295 |
Included Updates: 2820917 |
Applies to: Server Core installation option Windows Server 2003 Windows Server 2008 Windows Vista Windows XP |
||
| Bulletin ID: MS13-032 |
Title: Vulnerability in Active Directory Could Lead to Denial of Service (2830914) |
Update Type: Security Update |
Severity: Important |
Date: 2013-04-09 |
| Description: This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service. | ||||
| Vulnerabilities: CVE-2013-1282 |
Included Updates: 2772930 2801109 2830914 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-030 |
Title: Vulnerability in SharePoint Could Allow Information Disclosure (2827663) |
Update Type: Security Update |
Severity: Important |
Date: 2013-04-09 |
| Description: This security update resolves a publicly disclosed vulnerability in Microsoft SharePoint Server. The vulnerability could allow information disclosure if an attacker determined the address or location of a specific SharePoint list and gained access to the SharePoint site where the list is maintained. The attacker would need to be able to satisfy the SharePoint site's authentication requests to exploit this vulnerability. | ||||
| Vulnerabilities: CVE-2013-1290 |
Included Updates: 2737969 2827663 |
Applies to: Maximum Security Impact Microsoft SharePoint Server Software Update Package |
||
| Bulletin ID: MS13-025 |
Title: Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264) |
Update Type: Security Update |
Severity: Important |
Date: 2013-03-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow information disclosure if an attacker convinces a user to open a specially crafted OneNote file. | ||||
| Vulnerabilities: CVE-2013-0086 |
Included Updates: 2760600 2816264 |
Applies to: |
||
| Bulletin ID: MS13-024 |
Title: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-03-12 |
| Description: This security update resolves four privately reported vulnerabilities in Microsoft SharePoint and Microsoft SharePoint Foundation. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site. | ||||
| Vulnerabilities: CVE-2013-0080 CVE-2013-0083 CVE-2013-0084 CVE-2013-0085 |
Included Updates: 2553407 2687418 2780176 |
Applies to: |
||
| Bulletin ID: MS13-023 |
Title: Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-03-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-0079 |
Included Updates: 2553501 2687505 2760762 2801261 |
Applies to: |
||
| Bulletin ID: MS13-022 |
Title: Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-03-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. | ||||
| Vulnerabilities: CVE-2013-0074 |
Included Updates: 2814124 |
Applies to: |
||
| Bulletin ID: MS13-020 |
Title: Vulnerability in OLE Automation Could Allow Remote Code Execution (2802968) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-02-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user opens a specially crafted file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-1313 |
Included Updates: 2802968 |
Applies to: |
||
| Bulletin ID: MS13-015 |
Title: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277) |
Update Type: Security Update |
Severity: Important |
Date: 2013-02-12 |
| Description: This security update resolves one privately reported vulnerability in the .NET Framework. The vulnerability could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-0073 |
Included Updates: 2789642 2789643 2789644 2789645 2789646 2789648 2789649 2789650 2800277 |
Applies to: Server Core installation option Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Vista Windows XP |
||
| Bulletin ID: MS13-014 |
Title: Vulnerability in NFS Server Could Allow Denial of Service (2790978) |
Update Type: Security Update |
Severity: Important |
Date: 2013-02-12 |
| Description: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker attempts a file operation on a read only share. An attacker who exploited this vulnerability could cause the affected system to stop responding and restart. The vulnerability only affects Windows servers with the NFS role enabled. | ||||
| Vulnerabilities: CVE-2013-1281 |
Included Updates: 2790978 |
Applies to: Server Core installation option Windows Server 2008 R2 Windows Server 2012 |
||
| Bulletin ID: MS13-012 |
Title: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2809279) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-02-12 |
| Description: This security update resolves publicly disclosed vulnerabilities in Microsoft Exchange Server. The most severe vulnerability is in Microsoft Exchange Server WebReady Document Viewing, and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. | ||||
| Vulnerabilities: CVE-2013-0393 CVE-2013-0418 |
Included Updates: 2746164 2788321 2809279 |
Applies to: Microsoft Server Software |
||
| Bulletin ID: MS13-011 |
Title: Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091) |
Update Type: Security Update |
Severity: Critical |
Date: 2013-02-12 |
| Description: This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file (such as an .mpg file), opens a Microsoft Office document (such as a .ppt file) that contains a specially crafted embedded media file, or receives specially crafted streaming content. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-0077 |
Included Updates: 2780091 |
Applies to: Windows Server 2003 Windows Server 2008 Windows Vista Windows XP |
||
| Bulletin ID: MS13-007 |
Title: Vulnerability in Open Data Protocol Could Allow Denial of Service (2769327) |
Update Type: Security Update |
Severity: Important |
Date: 2013-01-08 |
| Description: This security update resolves a privately reported vulnerability in the Open Data (OData) protocol. The vulnerability could allow denial of service if an unauthenticated attacker sends specially crafted HTTP requests to an affected site. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. | ||||
| Vulnerabilities: CVE-2013-0005 |
Included Updates: 2736416 2736418 2736422 2736428 2736693 2753596 |
Applies to: |
||
| Bulletin ID: MS13-004 |
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2769324) |
Update Type: Security Update |
Severity: Important |
Date: 2013-01-08 |
| Description: This security update resolves four privately reported vulnerabilitiesin the .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerabilities could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. | ||||
| Vulnerabilities: CVE-2013-0001 CVE-2013-0002 CVE-2013-0003 CVE-2013-0004 |
Included Updates: 2742595 2742596 2742597 2742598 2742599 2742601 2742604 2742607 2742613 2742614 2742616 2756918 2756919 2756920 2756921 2756923 |
Applies to: |
||
