The May cumulative security update for Internet Explorer 6, 7, 8, 9, and 10 is available on Windows Update. It fixes eleven vulnerabilities that were reported in time before they were publicly disclosed. The most serious vulnerabilities relate to remote code execution if a user visits an attacker’s website. The user can then gain the same rights as the user. This can happen by simply processing data serialized to JSON, which is often used.
Users with UAC (User Account Control) enabled are better protected against attacks. The update is on Windows Update, so you don't need to take any special action if you have automatic updates enabled. Otherwise, I recommend deploying this update as soon as possible, because the most vulnerable systems are in the time between the disclosure of the vulnerability and the installation of the security update.
The update is rated critical for Internet Explorer 8 on Windows client and Recommended for Windows Server. Internet Explorer 9 and 10 are not affected because it is not affected by default.
An update to Adobe Flash Player in Internet Explorer 10 for Windows 8 and Windows Server 2012 has also been released, which is also rated as critical.
Among the updates is also a new version of ActiveX Kill Bits, which takes care of disabling ActiveX components in Internet Explorer that do not appear to be safe or are outdated.
For more information, see Security Bulletins MS13-037, MS13-038, 2755801 , and APSB13-14 , and the KB2820197, KB2829530 , and KB2837385 technical support articles.
I wrote the article for TechNet Blog CZ/SK.