http://technet.microsoft.com/security/bulletinWed, 15 May 2013 08:00:00 GMTumbracoen-USCopyright (C) 2011 Microsoft Corporationhttp://technet.microsoft.com/security/bulletinhttp://www.microsoft.com/library/toolbar/3.0/images/banners/TechNetB_masthead_ltr.gif42225http://technet.microsoft.com/en-us/security/bulletin/ms13-0452013-05-15T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-045 Revision Note: V1.1 (May 15, 2013): Corrected link to the download location in the Detection and Deployment Tools and Guidance section. This is an informational change only.
Summary: This security update resolves a privately reported vulnerability in Windows Writer. The vulnerability could allow information disclosure if a user opens Writer using a specially crafted URL. An attacker who successfully exploited the vulnerability could override Windows Writer proxy settings and overwrite files accessible to the user on the target system. In a web-based attack scenario, a website could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the website and open the specially crafted link.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0462013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-046 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves three reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs onto the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0442013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-044 Revision Note: V1.0 (May 14, 2013): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user opens a specially crafted Visio file. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0432013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-043 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or previews a specially crafted email message in an affected version of Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0422013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-042 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user open a specially crafted Publisher file with an affected version of Microsoft Publisher. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0412013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-041 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Lync. The vulnerability could allow remote code execution if an attacker shares a specially crafted program in a Lync or Communicator session and convinces a user to accept an invitation to launch the program content. In all cases, an attacker would have no way to force users to view or share the attacker-controlled file or program. Instead, an attacker would have to convince users to take action, typically by getting them to accept an invitation in Lync or Communicator to view or share the presentable content.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0402013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-040 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in the .NET Framework. The more severe of the vulnerabilities could allow spoofing if a .NET application receives a specially crafted XML file. An attacker who successfully exploited the vulnerabilities could modify the contents of an XML file without invalidating the file's signature and could gain access to endpoint functions as if they were an authenticated user.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0392013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-039 Revision Note: (May 14, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0382013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-038 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0372013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-037 Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0092013-05-14T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-009 Revision Note: V1.2 (May 14, 2013): Revised this bulletin to announce a detection change to correct an offering issue for Windows Server 2012 (Server Core installation). This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves thirteen privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms12-0432013-04-26T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms12-043 Revision Note: V4.2 (April 26, 2013): Corrected update replacement. This is an informational change only. There were no changes to the security update files or detection logic.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0362013-04-24T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-036 Revision Note: V3.1 (April 24, 2013): Corrected KB article hyperlink and incorrect KB numbers for Windows 7 for x64-based Systems and Windows Server 2008 R2 for Itanium-based Systems in the Affected Software table. These are bulletin changes only.
Summary: This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0312013-04-24T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-031 Revision Note: V1.1 (April 24, 2013): Corrected update replacement. This is an informational change only. There were no changes to the security update files or detection logic.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0282013-04-24T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-028 Revision Note: V1.1 (April 24, 2013): Added CVE-2013-1338 as a vulnerability addressed by this update. In addition, corrected update replacement and clarified why this update replaces MS13-010. These are informational changes only.
Summary: This security update resolves two privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0342013-04-16T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-034 Revision Note: V1.1 (April 16, 2013): Bulletin revised to announce a detection change in the 2781197 package to correct a reoffering issue. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in the Microsoft Antimalware Client. The vulnerability could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0292013-04-10T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-029 Revision Note: V1.1 (April 10, 2013): Corrected the version number for Remote Desktop Connection Client on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 from 7.0 to 7.1. This is an informational change only. There were no changes to security update files.
Summary: This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0352013-04-09T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-035 Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Office. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0332013-04-09T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-033 Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in all supported editions of Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0322013-04-09T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-032 Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0302013-04-09T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-030 Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft SharePoint and Microsoft SharePoint Foundation. The vulnerability could allow information disclosure if an attacker determined the address or location of a specific SharePoint list and gained access to the SharePoint site where the list is maintained. The attacker would need to be able to satisfy the SharePoint site's authentication requests to exploit this vulnerability.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0222013-04-03T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-022 Revision Note: V1.2 (April 3, 2013): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes" and clarified that installing the update will upgrade previous versions of Silverlight to Silverlight version 5.1.20125.0.
Summary: This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0072013-04-03T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-007 Revision Note: V1.1 (April 3, 2013): Added a mitigation to CVE-2013-0005 for systems running Windows Server 2012.
Summary: This security update resolves a privately reported vulnerability in the Open Data (OData) protocol. The vulnerability could allow denial of service if an unauthenticated attacker sends specially crafted HTTP requests to an affected site. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0272013-03-27T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-027 Revision Note: V1.1 (March 27, 2013): Revised bulletin to remove workaround steps for disabling USB mass storage devices because these steps are not necessary to block known attack vectors. Revised bulletin to remove workaround steps for disabling USB mass storage devices because these steps are not necessary to block known attack vectors. For more information, see Update FAQ.
Summary: This security update resolves three privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow elevation of privilege if an attacker gains access to a system.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0262013-03-15T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-026 Revision Note: V1.1 (March 15, 2013): Corrected bulletin title and clarified affected version names in the vulnerability details and vulnerability FAQs.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office for Mac. The vulnerability could allow information disclosure if a user opens a specially crafted email message.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0232013-03-15T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-023 Revision Note: V1.1 (March 15, 2013): Clarified language in the vulnerability FAQ, How could an attacker exploit the vulnerability?
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0252013-03-12T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-025 Revision Note: V1.0 (March 12, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow information disclosure if an attacker convinces a user to open a specially crafted OneNote file.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0242013-03-12T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-024 Revision Note: V1.0 (March 12, 2013): Bulletin published.
Summary: This security update resolves four privately reported vulnerabilities in Microsoft SharePoint and Microsoft SharePoint Foundation. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0212013-03-12T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-021 Revision Note: V1.0 (March 12, 2013): Bulletin published.
Summary: This security update resolves eight privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0032013-03-12T07:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-003 Revision Note: V2.0 (March 12, 2013): Rereleased this bulletin to announce availability of an update for Microsoft System Center Operations Manager 2007 Service Pack 1. No other update packages are affected by this rerelease.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft System Center Operations Manager. The vulnerabilities could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website.]]>http://technet.microsoft.com/en-us/security/bulletin/ms12-0342013-03-06T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms12-034 Revision Note: V1.6 (March 6, 2013): Corrected update replacement information for the KB2676562 update.
Summary: This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0202013-02-13T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-020 Revision Note: V1.1 (February 13, 2012): Clarified in the vulnerability FAQ what systems are primarily at risk for CVE-2013-1313. This is an informational change only.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user opens a specially crafted file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0122013-02-13T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-012 Revision Note: V1.1 (February 13, 2013): Clarified that Microsoft Exchange Server 2010 Service Pack 3 is not affected by the vulnerabilities described in this bulletin. This is an informational change only.
Summary: This security update resolves publicly disclosed vulnerabilities in Microsoft Exchange Server. The most severe vulnerability is in Microsoft Exchange Server WebReady Document Viewing, and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0192013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-019 Revision Note: V1.0 (February 12, 2013): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0182013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-018 Revision Note: V1.1 (February 12, 2013): Added a link to Microsoft Knowledge Base Article 2790655 under Known Issues
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an unauthenticated attacker sends a specially crafted connection termination packet to the server.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0172013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-017 Revision Note: V1.1 (February 12, 2013): Added a link to Microsoft Knowledge Base Article 2799494 under Known Issues in the Executive Summary.
Summary: This security update resolves three privately reported vulnerabilities in all supported releases of Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0162013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-016 Revision Note: V1.1 (February 12, 2013): Added a link to Microsoft Knowledge Base Article 2778344 under Known Issues in the Executive Summary.
Summary: This security update resolves 30 privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0152013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-015 Revision Note: V1.0 (February 12, 2013): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in the .NET Framework. The vulnerability could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0142013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-014 Revision Note: V1.0 (February 12, 2013) Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker attempts a file operation on a read only share. An attacker who exploited this vulnerability could cause the affected system to stop responding and restart. The vulnerability only affects Windows servers with the NFS role enabled.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0132013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-013 Revision Note: V1.0 (February 12, 2013): Bulletin published.
Summary: This security update resolves publicly disclosed vulnerabilities in Microsoft FAST Search Server 2010 for SharePoint. The vulnerabilities could allow remote code execution in the security context of a user account with a restricted token. FAST Search Server for SharePoint is only affected by this issue when Advanced Filter Pack is enabled. By default, Advanced Filter Pack is disabled.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0112013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-011 Revision Note: V1.0 (February 12, 2013) Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file (such as an .mpg file), opens a Microsoft Office document (such as a .ppt file) that contains a specially crafted embedded media file, or receives specially crafted streaming content. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0102013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-010 Revision Note: V1.1 (February 12, 2013): Added a link to Microsoft Knowledge Base Article 2797052 under Known Issues in the Executive Summary. In addition, corrected the FAQ entry for Internet Explorer 10 Release Preview for Windows 7 and Windows Server 2008 R2.
Summary: This security update resolves a privately reported vulnerability in the Microsoft implementation of Vector Markup Language (VML). The vulnerability could allow remote code execution if a user viewed a specially crafted webpage using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0062013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-006 Revision Note: V1.1 (February 12, 2013): Added a link to Microsoft Knowledge Base Article 2785220 under Known Issues in the Executive Summary.
Summary: This security update resolves a privately reported vulnerability in the implementation of SSL and TLS in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker intercepts encrypted web traffic handshakes. ]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0052013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-005 Revision Note: V1.2 (February 12, 2013): Added a link to Microsoft Knowledge Base Article 2778930 under Known Issues in the Executive Summary.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0042013-02-12T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-004 Revision Note: V2.1 (February 12, 2013): Bulletin revised to announce a detection change in the .NET Framework 1.1 Service Pack 1 update (KB2742597) to correct a Windows Update reoffering issue on certain systems that are running supported editions of Windows Vista or Windows Server 2008. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves four privately reported vulnerabilities in the .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerabilities could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms12-0602013-01-30T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms12-060 Revision Note: V2.1 (January 30, 2013): Clarified that customers with the KB2687323 update will be offered the KB2726929 update for Windows common controls on all affected variants of Microsoft Office 2003, Microsoft Office 2003 Web Components, and Microsoft SQL Server 2005. See the update FAQ for details.
Summary: This security update resolves a privately reported vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.]]>http://technet.microsoft.com/en-us/security/bulletin/ms12-0572013-01-30T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms12-057 Revision Note: V2.1 (January 30, 2013): Clarified that customers with the KB2553260 and KB2589322 updates will be offered the KB2687501 and KB2687510 updates respectively for Microsoft Office 2010 Service Pack 1. See the update FAQ for details.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or embeds a specially crafted Computer Graphics Metafile (CGM) graphics file into an Office file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0082013-01-14T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-008 Revision Note: V1.0 (January 14, 2013): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0022013-01-08T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-002 Revision Note: V1.1 (January 8, 2013): Corrected download links for Microsoft XML Core Services 3.0 on Windows Server 2003 with SP2 for Itanium-based Systems and for Microsoft XML Core Services 6.0 when installed on Windows Server 2003 with SP2 for Itanium-based Systems. Added Server Core installation entries to Affected Software for Microsoft XML Core Services 4.0 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2 and Microsoft XML Core Services 6.0 on Windows Server 2008 for 32-bit Systems Service Pack 2. These are informational changes only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft XML Core Services. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker's website.]]>http://technet.microsoft.com/en-us/security/bulletin/ms13-0012013-01-08T08:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/bulletin/ms13-001 Revision Note: V1.0 (January 8, 2013): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a print server received a specially crafted print job. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.]]>