The top patching priority in this month's MS Tuesday is MS13-051 which is a vulnerability affecting Office 2003 for PCs and Office 2011 for Mac. This issue is seeing limited, targeted exploitation in the wild and the only reason Microsoft hasn't tagged it as a “Critical” issue is the limited number of affected platforms. Exploitation of this issue requires the user to interact with a malicious document.

 

The kernel elevation of privilege issue disclosed by Google researcher Tavis Ormandy bug is *not* addressed in this Patch Tuesday and Microsoft has not indicated they are considering an out-of-band patch for the issue.  In my opinion an out-of-band patch is not likely for a local kernel exploit.

 

Overall there are 23 CVEs, 19 from MS13-047 affecting Internet Explorer, all of these were found internally or responsibly disclosed and none are being exploited in the wild. However, given the large number of issues fixed this advisory has also been ranked a top patching priority.

 

Two kernel issues are being patched (MS13-048 & MS13-049), one is an elevation of privilege, the other is a denial of service (DoS) affecting the TCP/IP implementation. To exploit the DoS the attacker must first trigger host based protection against a SYN flood attack, so this issue is mitigated by network layer defenses against SYN flooding.

 

MS13-050 is a post authentication Elevation of Privilege in the Print Spooler service, this is a fairly significant concern and it's not clear if authentication as Guest is sufficient to access this weakness. This is a number two patching priority.

 

Today's release delivers coverage for all of these vulnerabilities.