Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

From Windows from Vista to 8.1, Microsoft Year-end Patch Tuesday hits 'em all

Headaches in the IT department tomorrow

Article comments

Microsoft is wrapping up the year's Patch Tuesday bulletins this week with 11 more fixes, pushing the total for 2013 to 106, up from last year's total of 83.

Five bulletins ranked critical all hold the potential for enabling remote code execution on victimized machines and affect a wide range of platforms including most versions of Windows, Windows Server, Internet Explorer, SharePoint and Exchange.

The patches will include a remedy for the .TIFF zero day vulnerability, a flaw in Microsoft Graphics that leaves Microsoft Office and Lync apps and Windows open to attack. Common exploits of the vulnerability include a Word file containing a malicious .TIFF image that leads to the attacker gaining control of the machine with current user rights. "In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation," says Paul Henry, a forensics and security analyst for Lumension. "Because we know persuading users to click isn't always that hard to do, a patch for this one is definitely welcome."

The problem and exploits in the wild were discovered last month, but Microsoft didn't deem it worth an out-of-band fix.

All the critical bulletins save one require restarts, so scheduling the patches will be a chore. "Be careful and have a rollback plan in case the patches break your custom environment," says Tommy Chin, a technical support engineer for CORE Security.

Another critical bulletin this month addresses a vulnerability in all versions of Internet Explorer from 6 through 11. "It is best to patch the ones that require restart quickly, since the vulnerable code is already loaded in those scenarios," says Chin. "Definitely patch Windows and Internet Explorer first."

A bulletin affecting Microsoft Exchange does not require a restart but warrants attention, says Qualys CTO Wolfgang Kandek. "Bulletin #5 is a server-side bulletin for Microsoft Exchange and will probably include the new Outside In library from Oracle that was released during October's Critical Patch Update," he says, referencing an Oracle update that included fixes for middleware in Outside In Technology, versions 8.4.0, 8.4.1. Outside In provides tools to access and control content in unstructured file formats.

One of the less severe bulletins, ranked important, should still be a high priority, says Kandek. "Bulletin #6 is for Microsoft Office and is only rated important, but it will still deserve your full attention due to the Remote Code Execution possibilities, most likely through file format vulnerabilities," he says.

A vulnerability in Windows XP discovered last week is not being addressed in this wave of patches. "This is perhaps another reminder that end of life is now just four months out for Windows XP and users still running it should move to a current generation operating system sooner rather than later," Henry says.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter@Tim_Greene.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *