Microsoft released 11 bulletins for the final Patch Tuesday of the year. In 2013, we saw a total of 106 bulletins, which is an increase of 22 percent over 2012’s total count. December’s patches include five critical, six important, and they cover 24 CVEs. As promised, Microsoft addressed the Graphics Components vulnerability in bulletin MS13-096. […]
Microsoft released 11 bulletins for the final Patch Tuesday of the year. In 2013, we saw a total of 106 bulletins, which is an increase of 22 percent over 2012’s total count.
December’s patches include five critical, six important, and they cover 24 CVEs. As promised, Microsoft addressed the Graphics Components vulnerability in bulletin MS13-096. This one is rated critical and should be your first priority, despite the hot-fix that’s been in place since November. It affects Windows, Office and Lync through Office 2007 installed on XP. In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation. Because we know persuading users to click isn’t always that hard to do, a patch for this one is definitely welcome.
Missing this month is a bulletin for the vulnerability currently under limited targeted attacks in the Windows kernel component in XP and Server 2003. Your best option is the security advisory Microsoft recently released, 2914486. This is perhaps another reminder that end-of-life is now just four months out for Windows XP and users still running it should move to a current generation operating system sooner rather than later.
The slideshow features a review of December’s patches, provided by Paul Henry, forensic and security analyst at Lumension.
Click through for a summary of the patches released this December Patch Tuesday, provided by Paul Henry, forensic and security analyst at Lumension.
MS13-096: Critical
As promised, Microsoft addressed the Graphics Components vulnerability in bulletin MS13-096. This one is rated critical and should be your first priority, despite the hot-fix that’s been in place since November. It affects Windows, Office and Lync through Office 2007 installed on XP. In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation. Because we know persuading users to click isn’t always that hard to do, a patch for this one is definitely welcome.
MS13-097: Critical
MS13-097 is a critical cumulative update to a vulnerability that could cause a remote code execution in Internet Explorer. It includes seven CVEs and, because of IE’s widespread use, should be considered second on your priority list despite no known active attacks underway.
MS13-099: Critical
Next on your priority list should be MS13-099. This is a critical bulletin with one CVE for Microsoft scripting run time object library. While the vulnerability is in a Windows component, the attack vector is a traditional browser.
MS13-098: Critical
Microsoft released MS13-098 for a vulnerability in Windows. This one addresses a vulnerability found when verified trust validates signatures and is coupled with Security Advisory 2915720. It contains a new security feature that is currently turned off by default but Microsoft will turn it on June 2014.
MS13-105: Critical
MS13-105 is a vulnerability in Exchange that covers three CVEs. This rounds out the balance of critically rated bulletins and part of this bulletin impacts Oracle Outside In.
MS13-100: Important
MS13-100 is an important class bulletin that addresses a possible remote code execution in SharePoint. It is for one privately reported vulnerability and no known attacks are underway.
MS13-101 through MS13-104 and MS13-106: Important
MS13-101 updates five CVEs found in Windows kernel drivers that could allow elevation privilege. This bulletin is rated important and there are no active attacks. And MS13-102, Windows Local Procedure Call, could also allow the elevation of privilege. MS13-103 is a vulnerability in asp.net signal and MS13-104 is a vulnerability in Office that could allow information disclosure. There are limited active attacks on this one but it is not publicly known. MS13-106 covers a vulnerability in Microsoft Office 2007 and 2010 Shared Component that could allow a security feature bypass.
Security Advisories
Additionally, Microsoft released 4 security advisories this Patch Tuesday.
The go-to resource for IT professionals from all corners of the tech world looking for cutting edge technology solutions that solve their unique business challenges. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in the technology space.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
