Microsoft’s Patch Tuesday brought out 13 bulletins.
Of the 13 bulletins, the MS Office family has seven vulnerabilities and Windows OS patches have six.
There are four advisories labeled as critical. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update. All versions of IE require this update.
Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of is CVE-2013-1330, which allows remote code execution by malicious content sent to the server without user interaction, genuine real-time remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes.
Of the other two critical advisories, both require user interaction to trigger the vulnerability; however, MS13-068 affecting Microsoft Outlook is particularly toxic because it can occur when users view malicious content in the Outlook preview pane.
MS13-070 only applies to XP and Server 2003 and those vulnerabilities tend to be less “contained” than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014.
If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint, then this month is going to be very busy. There are lots of vulnerabilities to patch, many of which are high risk. Office vulnerabilities typically end up mitigated because they require a user to interact with something malicious, either through an attachment or a link. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.