Patch Tuesday preview reveals 11 security fixes from Microsoft

Share this article:

This month, Microsoft plans to release 11 patches for security issues affecting its software, including a TIFF zero-day flaw that could allow remote code execution (RCE).

The tech giant provided a preview of its Patch Tuesday release on Thursday on its Security TechCenter site.

Among the 11 bulletins to be dispatched on Dec. 10, five address critical RCE flaws in Windows, Office, Internet Explorer, Exchange and Microsoft Lync, an instant messaging client.

The remaining six patches ranked “important” will plug elevation of privilege bugs in Windows and Developer Tools, and vulnerabilities that allow an attacker to bypass security features in Office or disclose users' information by exploiting the software.

A remote code execution vulnerability in Office and Microsoft Server will also be addressed in the Patch Tuesday release.

Of note, one of the critical RCE patches scheduled for Tuesday fixes a zero-day vulnerability (CVE-2013-3906) discovered early last month that exists in the way affected components handle specially crafted TIFF images. By exploiting the bug (which attackers did), saboteurs could gain the same user rights as individuals they've targeted.

One serious hole that won't be plugged with the monthly update, is a zero-day vulnerability (CVE-2013-5065) affecting Windows XP and Windows Server 2003 users, which has already been leveraged in targeted attacks. That bug, discovered last week, could escalate an attacker's privileges, eventually allowing them to install programs, access and modify data, or create accounts with full administrative rights.

The security community is particularly concerned about the Windows XP threat, as many enterprises haven't migrated off the 12-year-old operating system that reaches its end-of-life in just four months.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.