Microsoft to issue last Patch Tuesday updates of 2013

News
By Caroline Donnelly
published

Software giant to patch 11 vulnerabilities, but Windows XP kernal issue isn't one of them.

Patch Tuesday

Microsoft will patch a vulnerability next week that has left Windows Vista and Office users at risk of having their systems taken over by hackers.

As reported by IT Pro last month, the software giant has released workarounds to reduce the risk of hackers exploiting the vulnerability, which has already been used in targeted attacks in the Middle East and South Asia.

Victims are sent an email asking them to open a corrupted Word attachment containing a malformed image that awards the hacker the same system access rights as a logged on user.

We know persuading users to click isn't always that hard to do, a patch for this one is welcome.

However, a more permanent fix for the vulnerability is being rolled out next week as part of Microsoft's monthly Patch Tuesday security updates cycle.

Paul Henry, forensics and security analyst at patch management vendor Lumension, said a patch for the vulnerability was long overdue.

"It affects Windows, Office and Lync through Office 2007 installed on XP," Henry explained.

"In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation. Because we know persuading users to click isn't always that hard to do, a patch for this one is welcome."

Next week is the last Patch Tuesday of 2013 for Microsoft, marking the end of a busy year of security updates for the firm. Eleven bulletins will be issued in total, and will include five critical and six important patches.

Overall, the past 12 months has seen 106 bulletins published this year, while 2012 brought just 83.

Aside from the security update detailed above, the December Patch Tuesday will also see fixes for issues in Internet Explorer, Microsoft Exchange and its server software.

However, anyone holding out for a patch to the Windows XP and Server 2013 elevation of privilege vulnerability Microsoft announced last week will be disappointed this time around.

Microsoft said it is aware of limited, targeted attacks that have been attempted to exploit this vulnerability, and confirmed that people using newer versions of both types of software should not be affected.

Dustin C. Childs, group manager of response communications within Microsoft's Trustworthy Computing division, assured users in a blog post the firm is working on a fix for the issue.

"Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems," he wrote.

Lumension's Henry said Microsoft's delay in issuing a patch should serve as a timely reminder to Windows XP users about the operating system's ever shortening shelf life.

"This is perhaps another reminder that end of life is now just four months out for Windows XP and users still running it should move to a current generation operating system sooner rather than later," he added.

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.