Security Advisor
Microsoft Targets 4 Zero-Day Flaws in December Patch
The company finishes 2013 with a total of 106 security bulletins.
In the last Microsoft Security Update of the year, the company today released five "critical" and six "important" bulletin items addressing 24 different flaws found in Microsoft's line of software and services.
Today should be a busy one for IT, as four bulletins address issues currently being exploited in the wild. According to security experts, bulletin MS13-096, a fix for the TIFF graphics remote code execution (RCE) flaw found at the beginning of November, should be your top priority.
"This one is rated critical and should be your first priority, despite the hot-fix that's been in place since November," said Paul Henry, forensics and security analyst at security firm Lumension.
The bulletin, which looks to alleviate an open hole that has been used in attacks centered in the Middle East and Asia, should be immediately applied for those running Windows Vista, Windows Server 2008, Microsoft Office 2003, Office 2007, Office 2010, Office Compatibility Pack and Microsoft Office viewers.
The next priority should focus on bulletin MS13-097 -- a cumulative Internet Explorer fix for all versions of the browser. According to Microsoft, this one takes care of seven privately reported issues, with the most severe leading to an RCE attack if exploited. While this bulletin isn't one of the four actively exploited flaws, it still takes second on the priority list due to the relative ease of browser exploitation compared to other software.
Chiming in on today's order of attack, Qualys' Wolfgang Kandek marks a Microsoft Exchange fix (bulletin MS13-105) that addresses an Office Web Access as the next target to tackle.
"The attack vector here is a malicious document sent via e-mail and if visualized by a user, could be used to take control of the mail server," said Kandek in an e-mailed statement. "It is not the only the vulnerability in OWA that was addressed, there is also a Viewstate serialization issue and XSS scripting problem. If you use OWA in your setup, MS13-105 is an important patch for your organization."
The final two critical items of the month attack different flaws in all versions of Windows. Bulletin MS13-098 takes care of a privately reported issue in how Windows opens portable executable (PE) files and bulletin MS13-099 addresses vulnerability in the Microsoft Scripting Runtime Object Library. Just like the Internet Explorer fix, the scripting bulletin needs to be applied as soon as possible, as exploitation can occur through Web browsers.
Important Items
Microsoft's December "important" bulletins include:
- MS13-100: Addresses multiple RCE risks found in Microsoft SharePoint Servers 2010 and 2013.
- MS13-101: This bulletin targets all versions of Windows and fixes five flaws all found in the Windows kernel-mode driver.
- MS13-102: Only targeting aging Windows XP and Windows Server 2003 (both losing support in April), this bulletin blocks elevation of privilege attacks exploited through an LRPC client flaw.
- MS13-103: Fixes a privately reported issue in Microsoft's ASP.NET Signal and can be exploited if a user reflects back to an attacker JavaScript with harmful code attached.
- MS13-104: This Office 2013 fix blocks an information disclosure attack if a specially crafted Office file was opened on a harmful Web site.
- MS13-106: This rare security feature bypass flaw (currently being exploited in the wild) fix corrects how Office handles COM components of downloaded files from Internet Explorer.
For those keeping score Microsoft will finish the year with a total of 106 bulletins that fixed 330 flaws, making it a busier year for Microsoft's security team. Microsoft only issued 83 bulletins in 2012.
As always, many of these bulletins will require a restart before being fully implemented. More details on this month's patch can be found here.