Microsoft Advance Notification for December 2013

On December 10th, Microsoft will begin deploying their security updates to consumers with affected versions of Windows, Internet Explorer, Office, Exchange and Visual Studio. As it currently stands, the December security update release will mitigate vulnerabilities for eleven bulletins, five of which are critical. These five critical bulletins are based on vulnerabilities in commonly installed components, such as those required in the Window's platform and Office so this security update is definitely one you do not want to ignore. Additionally, six of these bulletins mitigate vulnerabilities that could allow an attacker to gain remote code execution on the system and three bulletins cover vulnerabilities that could allow an attacker to escalate their privileges.

Last month, Microsoft published an advisory regarding a remote code execution vulnerability in the Microsoft Graphics Component (Microsoft Security Advisory 2896666). This became known as the TIFF zero-day vulnerability (CVE-2013-3906) and this specific vulnerability was observed exploited in the wild. In the meantime, Microsoft had provided a workaround to protect against this threat but no patch has been released yet. Our fingers are crossed that Microsoft will mitigate this particular vulnerability in time for this month's release.

Also, Microsoft published an advisory on November 27th for a privilege escalation vulnerability in the Windows Kernel (Microsoft Security Advisory 2914486) which was also seen exploited in the wild. This particular vulnerability was used in conjunction with a vulnerability in Adobe Reader. Adobe has mitigated this vulnerability recently in its Adobe Reader software, however its unlikely that this vulnerability will be patched this month.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.