Microsoft Patches Two-Dozen Flaws in Final Patch Tuesday of 2013

December's Patch Tuesday fixes a critical flaw that was left out of the November update and leaves yet another flaw unpatched that is still being exploited.


Microsoft came out with its December Patch Tuesday update, which delivers fixes for 24 flaws spread across 11 advisories, six of which are identified as being critical.

At the top of Microsoft's patch list is a TIFF image flaw that was not fully patched in the November Patch Tuesday update, even though it was known and being exploited. The MS13-096 advisory in the December update explains that "a remote code execution vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TIFF files."

Microsoft warns that the TIFF flaw, if exploited, could have potentially enabled an attacker to take control of a user's PC.

The vulnerability could allow remote code execution if a user views TIFF files in shared content. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Though it has taken Microsoft a month to patch the TIFF issue, researchers at security firm Tripwire aren't concerned. Tyler Reguly, security research and development manager at Tripwire, told eWEEK he was surprised by Microsoft's speediness in patching the TIFF vulnerability.

"I think that Microsoft responded to this threat in a reasonable timeframe considering the complexity of the affected code and the limited scope of affected products," Craig Young, security researcher at Tripwire, added. "Also, remember, that Microsoft did promptly release a 'fix-it' to disable the vulnerable code path."

A fix-it is a temporary measure that is intended to limit the risk of a vulnerability before a full patch is issued.

The other big critical item on Microsoft's December Patch Tuesday list is the MS13-097 cumulative security update for Internet Explorer. Unlike the November update, which patched a zero-day flaw, the December update deals with seven privately reported vulnerabilities that are not currently being publicly exploited.

"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer," Microsoft warns in its advisory. "An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user."

The flaws in MS13-097 were privately reported, but they may have private exploits that go with them to prove that the vulnerability exists, Tommy Chin, technical support engineer at CORE Security, told eWEEK.

"Hopefully, [the private vulnerabilities] are in the hands of the good guys," Chin said.
Wolfgang Kandek, CTO of Qualys, told eWEEK that overall he is continuing to see many vulnerabilities in Internet Explorer, so there is a lot of interest in browser security, both on the security researcher side and attacker community.

"It was a good move by Microsoft to go to monthly updates as we don't really see the volume in browser attacks going down," Kandek said.

Even with all the flaws patched by Microsoft this month, at least one known vulnerability that is currently under attack was left out. At the end of November, Microsoft Security Advisory 2914486 warned about a vulnerability in a kernel component of Windows XP and Windows Server 2003 identified in CVE-2013-5065.

As to why Microsoft did not patch the issue with the December update, Chin suggested that Microsoft probably wanted to address all the remote code execution vulnerabilities first. The Windows kernel flaw, in contrast, is a privilege escalation issue. In a privilege escalation attack, the attacker gains access with low-level credentials and then is able to elevate their privileges once inside, to a higher level of access.

"Privilege escalation is very dangerous, but only if you have a way in," Chin said. "Assuming you patch all the remote code execution exploits, the only way to run privilege escalation exploits is with stolen credentials."

Russ Ernst, group product manager at Lumension, told eWEEK that he wasn't too surprised that Microsoft has decided not to include the coded fix for Security Advisory 2914486.
"Although there are known active exploits against the vulnerability described in CVE-2013-5065, the affected systems are limited to Windows XP and Windows Server 2003," Ernst said. "There is a published workaround to mitigate the attack, and the impacted platforms move to end-of-life next year, which may have pushed this to a lower priority than today’s already large release of 11 security fixes."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.