Microsoft recommends that the updates for Internet Explorer (MS13-021), Silverlight (MS13-022), and the Windows core (MS13-027) be given highest priority. The Windows core vulnerability is interesting because, although a successful attack requires direct physical local access, it doesn’t require anyone to be logged into the system. This allows potential attackers to connect a specially crafted USB flash drive and execute code at system privilege level almost in passing. In an expansion to its guidelines, Microsoft will, in future, rate such “drive-by” attacks at a higher severity level than attacks which require gaining physical control of a system by, for example, removing a hard disk or by booting from a different medium.
The three “important” bulletins close further holes in Windows, Office, and Microsoft’s server software. Microsoft has also made available a Flash update for Internet Explorer 10, probably to catch up with Adobe’s update. The company has provided an overview of the March patches and a table with an exploitability index, which helps with assessing the risks.
