Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Plans 11 Security Bulletins for Final Patch Tuesday of 2013

Microsoft is planning to release 11 security bulletins next week as part of the year’s final Patch Tuesday update.

Microsoft is planning to release 11 security bulletins next week as part of the year’s final Patch Tuesday update.

Five of the bulletins are rated ‘critical’ and address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The remaining bulletins are classified as ‘important’, and affect Windows, Microsoft Office, Server Software and Microsoft Developer Tools. Not included is a fix for the Windows kernel vulnerability that the company warned was being exploited late last month.

“We’re still working to develop a security update and we’ll release it when ready,” blogged Dustin Childs, group manager of response communications for the Microsoft Trustworthy Computing Group. “Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.”

There are six remote code execution vulnerabilities and three of them deal with core components loaded in memory for Microsoft Windows, Office, Lync and Internet Explorer, noted Tommy Chin, technical support engineer at Core Security.

Advertisement. Scroll to continue reading.

“It is best to patch the ones that require restart quickly, since the vulnerable code is already loaded in those scenarios,” he said, advising administrators to patch Windows and Internet Explorer first. “With three privilege escalation vulnerabilities and two of those being loaded Windows components, we have a total of five highly important updates that require reboot. Be careful and have a rollback plan in case the patches break your custom environment.”

The 11 bulletins bring the total for 2013 to 106, up significantly from last year’s 83, but approximately the same as 2011 (100 bulletins) and 2010 (106 bulletins).

“With 11 bulletins this month, Microsoft will easily break 100, beating last years’ numbers and even exceeding 2011’s December 29th release of MS11-100,” said Tyler Reguly, technical manager of security research and development at Tripwire. “System administrators everywhere must have made Microsoft’s naughty list because this holiday ‘gift’ is clearly a lump of coal.”

“Microsoft is wrapping up the 2013 patch season with anything that was laying around,” he continued. “We’re seeing patches for ASP.NET SignalR, Office, Exchange 2013, SharePoint 2013, and Lync 2013, as well as every version of Windows and Internet Explorer. Someone should tell Microsoft they forgot to include the kitchen sink.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.