More

    Little Holiday Joy This Patch Tuesday

    Microsoft released 11 bulletins for the final Patch Tuesday of the year. In 2013, we saw a total of 106 bulletins, which is an increase of 22 percent over 2012’s total count.

    December’s patches include five critical, six important, and they cover 24 CVEs. As promised, Microsoft addressed the Graphics Components vulnerability in bulletin MS13-096. This one is rated critical and should be your first priority, despite the hot-fix that’s been in place since November. It affects Windows, Office and Lync through Office 2007 installed on XP. In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation. Because we know persuading users to click isn’t always that hard to do, a patch for this one is definitely welcome.

    Missing this month is a bulletin for the vulnerability currently under limited targeted attacks in the Windows kernel component in XP and Server 2003. Your best option is the security advisory Microsoft recently released, 2914486. This is perhaps another reminder that end-of-life is now just four months out for Windows XP and users still running it should move to a current generation operating system sooner rather than later.

    The slideshow features a review of December’s patches, provided by Paul Henry, forensic and security analyst at Lumension.

    Little Holiday Joy This Patch Tuesday - slide 1

    Click through for a summary of the patches released this December Patch Tuesday, provided by Paul Henry, forensic and security analyst at Lumension.

    Little Holiday Joy This Patch Tuesday - slide 2

    MS13-096: Critical

    As promised, Microsoft addressed the Graphics Components vulnerability in bulletin MS13-096. This one is rated critical and should be your first priority, despite the hot-fix that’s been in place since November. It affects Windows, Office and Lync through Office 2007 installed on XP. In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation. Because we know persuading users to click isn’t always that hard to do, a patch for this one is definitely welcome.

    Little Holiday Joy This Patch Tuesday - slide 3

    MS13-097: Critical

    MS13-097 is a critical cumulative update to a vulnerability that could cause a remote code execution in Internet Explorer. It includes seven CVEs and, because of IE’s widespread use, should be considered second on your priority list despite no known active attacks underway.

    Little Holiday Joy This Patch Tuesday - slide 4

    MS13-099: Critical

    Next on your priority list should be MS13-099. This is a critical bulletin with one CVE for Microsoft scripting run time object library. While the vulnerability is in a Windows component, the attack vector is a traditional browser.

    Little Holiday Joy This Patch Tuesday - slide 5

    MS13-098: Critical

    Microsoft released MS13-098 for a vulnerability in Windows. This one addresses a vulnerability found when verified trust validates signatures and is coupled with Security Advisory 2915720. It contains a new security feature that is currently turned off by default but Microsoft will turn it on June 2014.

    Little Holiday Joy This Patch Tuesday - slide 6

    MS13-105: Critical

    MS13-105 is a vulnerability in Exchange that covers three CVEs. This rounds out the balance of critically rated bulletins and part of this bulletin impacts Oracle Outside In.

    Little Holiday Joy This Patch Tuesday - slide 7

    MS13-100: Important

    MS13-100 is an important class bulletin that addresses a possible remote code execution in SharePoint. It is for one privately reported vulnerability and no known attacks are underway.

    Little Holiday Joy This Patch Tuesday - slide 8

    MS13-101 through MS13-104 and MS13-106: Important

    MS13-101 updates five CVEs found in Windows kernel drivers that could allow elevation privilege. This bulletin is rated important and there are no active attacks. And MS13-102, Windows Local Procedure Call, could also allow the elevation of privilege. MS13-103 is a vulnerability in asp.net signal and MS13-104 is a vulnerability in Office that could allow information disclosure. There are limited active attacks on this one but it is not publicly known. MS13-106 covers a vulnerability in Microsoft Office 2007 and 2010 Shared Component that could allow a security feature bypass.

    Little Holiday Joy This Patch Tuesday - slide 9

    Security Advisories

    Additionally, Microsoft released 4 security advisories this Patch Tuesday.

    • Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution
    • Security Advisory 2871690 – Update to Revoke Non-Compliant UEFI Boot Loaders
    • Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification
    • Revision to 2755801 documenting another update for Adobe Flash Player

    Latest Articles