This month’s Patch Tuesday update will bring four fixes for vulnerabilities in Microsoft Windows, Server, Office and enterprise planning software Dynamics AX.
All of the patches, or Microsoft “bulletins,” have been rated “important” by the company, meaning no critical flaws are scheduled to be addressed in January.
On Thursday, Microsoft released its advanced notification of updates due out Jan.14.
Bulletin 1 will patch Office and Microsoft Server, in order to prevent remote code execution (RCE) by attackers, and Bulletins 2 and 3 will plug elevation of privilege bugs in Windows. Bulletin 4 rectifies security issues in Microsoft Dynamics AX, which could allow denial-of-service attacks upon exploitation.
Microsoft Dynamics AX is enterprise software that supports operational and administrative planning, such as accounting, supply chain and other business tasks.
Of note, Bulletin 2 is expected to deliver the awaited fix for a zero-day vulnerability (CVE-2013-5065) in Windows XP and Server 2003, which was leveraged in a limited amount of targeted attacks in November.
In a Thursday blog post, Wolfgang Kandek, CTO of Qualys, noted the absence of planned Internet Explorer fixes in Microsoft’s rather light update this month.
“While there is no update for Internet Explorer, taking care of your browser should still be among your highest priority items,” Kandek said. “Running the most updated browser version is the best way to deal with the web based attacks, which have increased their heft in 2013. They are now the main threat vector, and more companies have been infected through web-based attacks than through e-mail,” he warned.