Microsoft Patch Tuesday – three critical updates coming, but no TIFF zero-day fix yet

November’s Patch Tuesday is coming up this week, and Microsoft’s usual “announcement that doesn’t say an awful lot” is out to help us prepare.

There are eight bulletins, three of them are critical, and you will need to reboot.

Pretty much what you expected, in fact.

Of course, this month’s big question is, “Will the recently-announced Windows zero-day get fixed?”

That’s not just a big question, but an important one, so Microsoft has addressed it explicitly.

The answer, I am sorry to have to tell you, is, “No.”

However, the unusually loose-lipped advisory blog posting (by Microsoft Patch Tuesday standards) that goes along with this month’s Security Bulletin Advance Notification is very useful.

So, if you will forgive us taking a small side-trip into what isn’t handled in Patch Tuesday, we’ll take a quick look at it.

What’s not fixed

The recent zero-day, which allows crooks to attack your computer using booby-trapped TIFF images, has created lot of confusion amongst users and administrators trying to work out which of their computers are at direct risk.

Microsoft’s original notification didn’t help, listing Windows XP, 7 and 8, for example, as “non-affected platforms,” but Office 2003 to 2010 as “affected.”

Judging by some of our readers’ comments, we weren’t alone in wondering which took precedence – the unaffected operating system version or the affected software.

Because the zero-day is not getting patched this month, Microsoft has done its best to clear up the confusion, so we can now tell you that:

  • If you have Windows Vista or Server 2008, you are vulnerable to the TIFF zero-day no matter what additional software you have.
  • If you have Office 2003 or 2007, you are vulnerable no matter what Windows version you have.
  • If you have Microsoft Lync of any flavour, you are vulnerable no matter what Windows version you have.
  • If you have Office 2010 you are vulnerable, but only if you are running on Windows XP or Server 2003.

Just to remind you: the TIFF zero-day can be avoided with Microsoft’s Fix it, or by manually setting this registry entry:

   Microsoft\Gdiplus\DisableTIFFCodec = 1

Of course, as fellow Naked Security expert Chester Wisniewski pointed out in our recent podcast, this will probably stop you opening TIFF files that you do want to access, such as those produced by network-based fax and scanning software.

If, however, it’s years since you received a fax, and you have long made do with image support only for JPEG and PNG files – as have I – then the Fix it should do you no harm, and plenty of good.

What is fixed

As mentioned above, we can’t yet tell you exactly what’ll be fixed yet on Patch Tuesday – a marked contrast to the prompt and complete OpenSSH bug-fix bulletin we wrote about yesterday.

Of course, there are a lot more interacting components in Microsoft’s Patch Tuesdays – or moving parts, as skeuomorphically-minded software engineers like to call them, even though they don’t actually move at all (the parts, not the engineers).

What we can tell you is that Patch Tuesday will bring you:

  • A critical fix relevant to all versions of Internet Explorer (IE) on all platforms, on all CPUs, at all bit sizes. That means IE 6 to 11 on XP to 8.1, 32 or 64 bit, on Intel and ARM. In short, if you have Windows clients in your business, you will be updating.
  • A necessary restart, so you will be rebooting.
  • Important fixes for all versions of Office, from 2003 to 2013, and for Outlook 2007 to 2013.

As usual, keep your eye on the SophosLabs Vulnerability page to read our own assessment of the risk posed by each bulletin.

If you can’t, won’t, or simply don’t like to update as soon as you can, our Vulnerability page is a handy aid to prioritising your patching activities.

Incidentally, we frequently recommend Server Core installs whenever you are commissioning a server that doesn’t need full-blown Windows, because Server Core has less code in it to attack.

Of course, “less code to attack” doesn’t mean “no code to attack,” so we need to to remind you that Server Core installs will need updating and rebooting this month.

Update. We originally concluded by saying that Server Core was not affected this month. As a commenter pointed out below, that’s not true. The article has been corrected. [2013-11-11T09:30Z]

Note. Sophos blocks the various components of the TIFF zero-day, and attacks known to be associated with it, as follows:

  • Exp/20133906-A
  • Troj/20133906-A
  • Troj/20133906-B
  • Troj/DocDrp-C