Ten years ago today, Microsoft pledged to improve the security of its various software products, including Windows. One measure was to establish a monthly routine schedule for upcoming security announcements. Microsoft ultimately decided to set the second Tuesday of each month as the software update date, known in the industry as "Patch Tuesday".
Today, on the tenth anniversary of "Patch Tuesday", Microsoft released eight security patches for October 2013, four of which were marked as "critical", including one affecting all versions of Internet Explorer, including IE11, which will be released with Windows 8.1 on October 18.
1. Cumulative Security Update for Internet Explorer (2879017)
Security Bulletin MS13-080
Level: Critical
Summary: This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer system user rights could be less impacted than users who operate with administrative user rights.
Affected Software: For Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 on Windows clients, the severity rating for this security update is "Critical"; for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 on Windows servers, the severity rating for this security update is "Moderate".
2. Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
Security Bulletin MS13-081
Level: Critical
Summary: This security update resolves seven privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user views shared content embedding OpenType or TrueType font files. An attacker who successfully exploited these vulnerabilities could gain complete control over the affected system.
Affected Software: For all supported versions of Microsoft Windows (excluding Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1), the severity rating for this security update is "Critical".
3. Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
Security Bulletin MS13-082
Level: Critical
Summary: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft .NET Framework. The most severe of these vulnerabilities could allow remote code execution if a user uses a browser capable of instantiating XBAP applications to visit a website containing a specially crafted OpenType font (OTF) file.
Affected Software: For Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5 on affected versions of Microsoft Windows, the severity rating for this security update is "Critical"; for Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on affected versions of Microsoft Windows, the severity rating for this security update is "Important".
4. Vulnerability in Windows Common Controls Library Could Allow Remote Code Execution (2864058)
Security Bulletin MS13-083
Level: Critical
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. If an attacker sends a specially crafted web request to an ASP.NET web application running on an affected system, the vulnerability could allow remote code execution. An attacker could exploit this vulnerability to run arbitrary code without authentication.
Affected Software: For all supported 64-bit versions of Microsoft Windows, the severity rating for this security update is "Critical". For all supported 32-bit versions of Windows RT, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8, there is no severity rating for this security update.
5. Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)
Security Bulletin MS13-084
Level: Important
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office server software. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps.
Affected Software: For supported versions of Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, Microsoft SharePoint Services 3.0, and Microsoft SharePoint Foundation 2010, the severity rating for this security update is "Important". For supported versions of Microsoft Office Services and Web Apps on Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, and Microsoft SharePoint Server 2013, the severity rating for this security update is also "Important".
6. Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
Security Bulletin MS13-085
Level: Important
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office. These vulnerabilities could allow remote code execution if a user opens a specially crafted Office file using an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer system user rights could be less impacted than users with administrative user rights.
Affected Software: For all supported versions of Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, Microsoft Office 2013 RT, and Microsoft Office for Mac 2011, the severity rating for this security update is "Important". For supported versions of Microsoft Excel Viewer and Microsoft Office Compatibility Pack, the severity rating for this security update is also "Important".
7. Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
Security Bulletin MS13-086
Level: Important
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Office. These vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer system user rights could be less impacted than users with administrative user rights.
Affected Software: For supported versions of Microsoft Word 2003, Microsoft Word 2007, and Microsoft Office Compatibility Pack, the severity rating for this security update is "Important".
8. Vulnerability in Silverlight Could Allow Information Disclosure (2890788)
Security Bulletin MS13-080
Level: Important
Summary: This security update resolves one privately reported vulnerability in Microsoft Silverlight. If an attacker owns a website containing a specially crafted Silverlight application that exploits this vulnerability and then lures users to view the site, the vulnerability could allow information disclosure. Attackers could also exploit compromised websites and websites that accept or host user-provided content or advertisements. Such websites may contain specially crafted content that could exploit this vulnerability. However, in all cases, attackers cannot force users to visit the website. Instead, attackers must lure users to the website, typically by getting them to click a link in an email or Instant Messenger message that directs them to the attacker's website. It could also use banner ads or other ways to display specially crafted web content to deliver web content to affected systems.
Affected Software: For Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime installed on Mac and all supported versions of Microsoft Windows, the severity rating for this security update is "Important".