Microsoft Patches Two-Dozen Flaws in Final Patch Tuesday of 2013
December's Patch Tuesday fixes a critical flaw that was left out of the November update and leaves yet another flaw unpatched that is still being exploited.Microsoft came out with its December Patch Tuesday update, which delivers fixes for 24 flaws spread across 11 advisories, six of which are identified as being critical. At the top of Microsoft's patch list is a TIFF image flaw that was not fully patched in the November Patch Tuesday update, even though it was known and being exploited. The MS13-096 advisory in the December update explains that "a remote code execution vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TIFF files." Microsoft warns that the TIFF flaw, if exploited, could have potentially enabled an attacker to take control of a user's PC. The vulnerability could allow remote code execution if a user views TIFF files in shared content. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Though it has taken Microsoft a month to patch the TIFF issue, researchers at security firm Tripwire aren't concerned. Tyler Reguly, security research and development manager at Tripwire, told eWEEK he was surprised by Microsoft's speediness in patching the TIFF vulnerability.
Wolfgang Kandek, CTO of Qualys, told eWEEK that overall he is continuing to see many vulnerabilities in Internet Explorer, so there is a lot of interest in browser security, both on the security researcher side and attacker community. "It was a good move by Microsoft to go to monthly updates as we don't really see the volume in browser attacks going down," Kandek said. Even with all the flaws patched by Microsoft this month, at least one known vulnerability that is currently under attack was left out. At the end of November, Microsoft Security Advisory 2914486 warned about a vulnerability in a kernel component of Windows XP and Windows Server 2003 identified in CVE-2013-5065. As to why Microsoft did not patch the issue with the December update, Chin suggested that Microsoft probably wanted to address all the remote code execution vulnerabilities first. The Windows kernel flaw, in contrast, is a privilege escalation issue. In a privilege escalation attack, the attacker gains access with low-level credentials and then is able to elevate their privileges once inside, to a higher level of access. "Privilege escalation is very dangerous, but only if you have a way in," Chin said. "Assuming you patch all the remote code execution exploits, the only way to run privilege escalation exploits is with stolen credentials." Russ Ernst, group product manager at Lumension, told eWEEK that he wasn't too surprised that Microsoft has decided not to include the coded fix for Security Advisory 2914486.
"Although there are known active exploits against the vulnerability described in CVE-2013-5065, the affected systems are limited to Windows XP and Windows Server 2003," Ernst said. "There is a published workaround to mitigate the attack, and the impacted platforms move to end-of-life next year, which may have pushed this to a lower priority than today’s already large release of 11 security fixes." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.