Microsoft is planning to release 11 security bulletins next week as part of the year’s final Patch Tuesday update.
Five of the bulletins are rated ‘critical’ and address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The remaining bulletins are classified as ‘important’, and affect Windows, Microsoft Office, Server Software and Microsoft Developer Tools. Not included is a fix for the Windows kernel vulnerability that the company warned was being exploited late last month.
“We’re still working to develop a security update and we’ll release it when ready,” blogged Dustin Childs, group manager of response communications for the Microsoft Trustworthy Computing Group. “Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.”
There are six remote code execution vulnerabilities and three of them deal with core components loaded in memory for Microsoft Windows, Office, Lync and Internet Explorer, noted Tommy Chin, technical support engineer at Core Security.
“It is best to patch the ones that require restart quickly, since the vulnerable code is already loaded in those scenarios,” he said, advising administrators to patch Windows and Internet Explorer first. “With three privilege escalation vulnerabilities and two of those being loaded Windows components, we have a total of five highly important updates that require reboot. Be careful and have a rollback plan in case the patches break your custom environment.”
The 11 bulletins bring the total for 2013 to 106, up significantly from last year’s 83, but approximately the same as 2011 (100 bulletins) and 2010 (106 bulletins).
“With 11 bulletins this month, Microsoft will easily break 100, beating last years’ numbers and even exceeding 2011’s December 29th release of MS11-100,” said Tyler Reguly, technical manager of security research and development at Tripwire. “System administrators everywhere must have made Microsoft’s naughty list because this holiday ‘gift’ is clearly a lump of coal.”
“Microsoft is wrapping up the 2013 patch season with anything that was laying around,” he continued. “We’re seeing patches for ASP.NET SignalR, Office, Exchange 2013, SharePoint 2013, and Lync 2013, as well as every version of Windows and Internet Explorer. Someone should tell Microsoft they forgot to include the kitchen sink.”
