(LiveHacking.Com) – Microsoft has released eight security updates that address 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. Three of the bulletins are rated as Critical and the remaining five are rated as Important.
The first of the Critical updates (MS13-059) is a cumulative patch for IE. It resolves eleven privately reported vulnerabilities in Microsoft’s browser, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6, 7, 8, 9, and 10 on all supported versions of Windows including Windows 8 and Windows 8 RT. On Windows Server platforms the severity is only Moderate.
The next Critical patch (MS13-060) fixes a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. The fix changes the way that Microsoft Windows parses specific characteristics of OpenType fonts. The bug only affects Windows XP and Windows Server 2003, all other supported versions of Windows are unaffected.
The final Critical bulletin (MS13-061) is a patch for Exchange that addresses three publicly disclosed vulnerabilities in the WebReady Document Viewing and Data Loss Prevention features of Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using the Outlook Web App (OWA). Also the Data Loss Prevention feature contains code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. Exchange 2007, 2010 and 2013 are all affected, only Exchange 2003 is unaffected.
The remaining bulletins are all rated as Important and cover two sets of elevation of privilege bugs, two denial of service vulnerabilities and an information disclosure issue in Active Directory Federation Services (AD FS).