Feed aggregator

Severity Rating: Important
Revision Note: V1.1 (May 15, 2013): Corrected link to the download location in the Detection and Deployment Tools and Guidance section. This is an informational change only.
Summary: This security update resolves a privately reported vulnerability in Windows Writer. The vulnerability could allow information disclosure if a user opens Writer using a specially crafted URL. An attacker who successfully exploited the vulnerability could override Windows Writer proxy settings and overwrite files accessible to the user on the target system. In a web-based attack scenario, a website could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the website and open the specially crafted link.

Severity Rating: Important
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves three reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs onto the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.

Severity Rating: Important
Revision Note: V1.0 (May 14, 2013): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user opens a specially crafted Visio file. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system.

Severity Rating: Important
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or previews a specially crafted email message in an affected version of Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Important
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user open a specially crafted Publisher file with an affected version of Microsoft Publisher. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Important
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Lync. The vulnerability could allow remote code execution if an attacker shares a specially crafted program in a Lync or Communicator session and convinces a user to accept an invitation to launch the program content. In all cases, an attacker would have no way to force users to view or share the attacker-controlled file or program. Instead, an attacker would have to convince users to take action, typically by getting them to accept an invitation in Lync or Communicator to view or share the presentable content.

Severity Rating: Important
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in the .NET Framework. The more severe of the vulnerabilities could allow spoofing if a .NET application receives a specially crafted XML file. An attacker who successfully exploited the vulnerabilities could modify the contents of an XML file without invalidating the file's signature and could gain access to endpoint functions as if they were an authenticated user.

Severity Rating: Important
Revision Note: (May 14, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Severity Rating: Critical
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Critical
Revision Note: V1.0 (May 14, 2013): Bulletin published.
Summary: This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Critical
Revision Note: V1.2 (May 14, 2013): Revised this bulletin to announce a detection change to correct an offering issue for Windows Server 2012 (Server Core installation). This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves thirteen privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Critical
Revision Note: V4.2 (April 26, 2013): Corrected update replacement. This is an informational change only. There were no changes to the security update files or detection logic.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

Severity Rating: Important
Revision Note: V3.1 (April 24, 2013): Corrected KB article hyperlink and incorrect KB numbers for Windows 7 for x64-based Systems and Windows Server 2008 R2 for Itanium-based Systems in the Affected Software table. These are bulletin changes only.
Summary: This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.

Severity Rating: Important
Revision Note: V1.1 (April 24, 2013): Corrected update replacement. This is an informational change only. There were no changes to the security update files or detection logic.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Severity Rating: Critical
Revision Note: V1.1 (April 24, 2013): Added CVE-2013-1338 as a vulnerability addressed by this update. In addition, corrected update replacement and clarified why this update replaces MS13-010. These are informational changes only.
Summary: This security update resolves two privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Important
Revision Note: V1.1 (April 16, 2013): Bulletin revised to announce a detection change in the 2781197 package to correct a reoffering issue. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in the Microsoft Antimalware Client. The vulnerability could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

Severity Rating: Critical
Revision Note: V1.1 (April 10, 2013): Corrected the version number for Remote Desktop Connection Client on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 from 7.0 to 7.1. This is an informational change only. There were no changes to security update files.
Summary: This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Important
Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft Office. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.

Severity Rating: Important
Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in all supported editions of Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Severity Rating: Important
Revision Note: V1.0 (April 9, 2013): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service.