Microsoft had projected 14 security bulletins for today, but only 13 were released.
For SharePoint, an attacker could abuse the ViewState mechanism on two specific web pages and gain control over the server. By default, the pages require authentication, which limits the attack vector. If you have reconfigured authentication, this bulletin should be high on your list. Note that the bulletin contains work-around steps that you can configure immediately even if you cannot apply the patch right away.
These 3 are the ones that demanded my immediate attention:
MS13-067 addresses ten vulnerabilities in SharePoint server, and affects SharePoint 2003, 2007, 2010, and 2013, along with Office Web Apps 2010. The patch addresses multiple elevations of privilege vulnerabilities that could allow an attacker to execute code in the context of another SharePoint user. In certain situations where the default authentication mechanism has been changed, an attacker may be able to take control of the server. Safeguarding sensitive data is critical, so get this patch rolled out as soon as possible.
***
MS13-068 / KB2756473 – Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
MS13-068 fixes a critical privately reported vulnerability in Outlook, which an attacker could use to execute arbitrary code in the context of the current user. It affects both Outlook 2007 and 2010. Attackers can exploit this without specific user interaction by crafting malicious S/MIME messages and sending those to target users. When the malicious message is opened, the exploit is triggered, and the vulnerable system is compromised – enabling the attacker to run code in the context of the user. The attack vector makes it urgent to apply this patch as soon as possible
***
MS13-069 / KB2870699 – Cumulative Security Update for Internet Explorer
MS13-069 is the latest cumulative security update for the Internet Explorer Web browser. The update applies to all supported versions of Internet Explorer, but none of the underlying flaws affects all versions of the browser. This patch should be deployed as quickly as possible, though, because any of these vulnerabilities can be used in drive-by exploits allowing the attacker to execute code in the context of the current user.
