Microsoft is wrapping up the year's Patch Tuesday bulletins this week with 11 more fixes, pushing the total for 2013 to 106, up from last year's total of 83.
Five bulletins ranked critical all hold the potential for enabling remote code execution on victimized machines and affect a wide range of platforms including most versions of Windows, Windows Server, Internet Explorer, SharePoint and Exchange.
The patches will include a remedy for the .TIFF zero day vulnerability, a flaw in Microsoft Graphics that leaves Microsoft Office and Lync apps and Windows open to attack. Common exploits of the vulnerability include a Word file containing a malicious .TIFF image that leads to the attacker gaining control of the machine with current user rights. "In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation," says Paul Henry, a forensics and security analyst for Lumension. "Because we know persuading users to click isn't always that hard to do, a patch for this one is definitely welcome."
The problem and exploits in the wild were discovered last month, but Microsoft didn't deem it worth an out-of-band fix.
All the critical bulletins save one require restarts, so scheduling the patches will be a chore. "Be careful and have a rollback plan in case the patches break your custom environment," says Tommy Chin, a technical support engineer for CORE Security.
Another critical bulletin this month addresses a vulnerability in all versions of Internet Explorer from 6 through 11. "It is best to patch the ones that require restart quickly, since the vulnerable code is already loaded in those scenarios," says Chin. "Definitely patch Windows and Internet Explorer first."
A bulletin affecting Microsoft Exchange does not require a restart but warrants attention, says Qualys CTO Wolfgang Kandek. "Bulletin #5 is a server-side bulletin for Microsoft Exchange and will probably include the new Outside In library from Oracle that was released during October's Critical Patch Update," he says, referencing an Oracle update that included fixes for middleware in Outside In Technology, versions 8.4.0, 8.4.1. Outside In provides tools to access and control content in unstructured file formats.
One of the less severe bulletins, ranked important, should still be a high priority, says Kandek. "Bulletin #6 is for Microsoft Office and is only rated important, but it will still deserve your full attention due to the Remote Code Execution possibilities, most likely through file format vulnerabilities," he says.
A vulnerability in Windows XP discovered last week is not being addressed in this wave of patches. "This is perhaps another reminder that end of life is now just four months out for Windows XP and users still running it should move to a current generation operating system sooner rather than later," Henry says.