Those IT pros who were hoping that Microsoft would go easy on us this month so we could spend more time on year-end reports (and/or shopping for holiday gifts) are going to be a little disappointed. After a couple of months with only eight patches each, we might be a tad spoiled. Don’t worry – December isn’t nearly as bad as September (when we were faced with 14 patches and ensuing problems caused one of those updates to be revoked) but we’re looking a set of 11 security updates this time, five of them rated critical.
With these 11 updates, that makes a total of 106 security bulletins for this year (assuming there are no emergency releases before the end of the year). That’s 23 more than last year, almost a 28 percent increase.
The good news is that the zero day vulnerability affecting Microsoft Office that we reported on last month in the post No Patch Forthcoming for TIFF-handling Zero Day Vulnerability, is being fixed this month, according to reports based on a Microsoft blog post. The bad news is that there apparently is no fix for the zero day vulnerability in the NDProxy driver that we reported on in the post XP/Server 2003 Kernel Vulnerability among this month’s slate of updates. Dustin Childs at Microsoft was quoted as saying, “we’ll release it when ready.” That means it’s especially important, if you’re running XP and/or Server 2003 systems, to apply the workaround now and not wait for the patch.
As usual, remote code execution and elevation of privilege are the potential results of exploits of most of these vulnerabilities, and most of them (including the TIFF-handling vulnerability mentioned above) impact Windows, IE and/or Office applications, ranging from Windows XP to Windows 8.1 and Server 2003 to 2012 R2, and Office 2003 to 2013. It’s obviously very important to patch these components since their code is always running on your computers, exposing them to potential attacks that use these vectors.
Lync and Exchange, which are deployed in many businesses, are also affected by two of the updates. One of the vulnerabilities applies only to Microsoft Developer Tools (Visual Studio Team Foundation Server 2013 and ASP.NET SignalR) so that one most likely won’t be installed on the majority of computers (other than those used by your in-house development team).
One of the bulletins that’s rated important pertains to a “security feature bypass” in Office and we’re curious to get more information about that one. There are, of course, many different security features in Microsoft Office. Tommy Chin, a technical support engineer with CORE Security, has speculated that it might be a macro security bypass. If you’re concerned that this could be the problem, you could disable VBA macros in the macro security settings.
Note that it’s likely that Microsoft will issue a patch for the XP/Server 2003 kernel vulnerability in January, after it has had time to go through the testing process. After all the recent problems caused by patches and resultant criticism saying that the fixes weren’t sufficiently tested before being released, it’s not surprising that the company would take a conservative approach with a patch that applies only to its oldest supported operating systems. When patches break the functionality of systems they’re designed to protect, it’s frustrating for the IT administrators who must then roll back or otherwise repair the damage. It also means more work for Microsoft’s support teams, who must guide sometimes-irate customers through the process of fixing the results of the fix.
These 11 patches will be issued on Tuesday, December 10th. Many IT pros had to battle severe winter weather to get to work on Friday. If nothing else, perhaps testing and applying all these updates will take their minds off the weather.