Patch Tuesday preview reveals 11 security fixes from Microsoft

Share this article:

This month, Microsoft plans to release 11 patches for security issues affecting its software, including a TIFF zero-day flaw that could allow remote code execution (RCE).

The tech giant provided a preview of its Patch Tuesday release on Thursday on its Security TechCenter site.

Among the 11 bulletins to be dispatched on Dec. 10, five address critical RCE flaws in Windows, Office, Internet Explorer, Exchange and Microsoft Lync, an instant messaging client.

The remaining six patches ranked “important” will plug elevation of privilege bugs in Windows and Developer Tools, and vulnerabilities that allow an attacker to bypass security features in Office or disclose users' information by exploiting the software.

A remote code execution vulnerability in Office and Microsoft Server will also be addressed in the Patch Tuesday release.

Of note, one of the critical RCE patches scheduled for Tuesday fixes a zero-day vulnerability (CVE-2013-3906) discovered early last month that exists in the way affected components handle specially crafted TIFF images. By exploiting the bug (which attackers did), saboteurs could gain the same user rights as individuals they've targeted.

One serious hole that won't be plugged with the monthly update, is a zero-day vulnerability (CVE-2013-5065) affecting Windows XP and Windows Server 2003 users, which has already been leveraged in targeted attacks. That bug, discovered last week, could escalate an attacker's privileges, eventually allowing them to install programs, access and modify data, or create accounts with full administrative rights.

The security community is particularly concerned about the Windows XP threat, as many enterprises haven't migrated off the 12-year-old operating system that reaches its end-of-life in just four months.

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.