Patch Tuesday December 2013 – TIFF exploit patched, XP kernel flaw not fixed yet


The updates for Microsoft’s December 2013 Patch Tuesday are out.

As promised, there are eleven bulletins, with six of them fixing remote code execution holes.

Five of those are rated by Microsoft as critical.

Fortunately, only one of them gets the most severe rating from SophosLabs – a level we also denote with the word “Critical,” as a way of noting an exploit that is either already being used by malware, or about to be used.

That rating was given to bulletin MS13-096, which patches a hole known as CVE-2013-3096, a bug in how Windows handles TIFF files.

In-the-wild abuse of this vulnerability was reported just before November’s Patch Tuesday, and anyone who isn’t a cybercrook hoped that Microsoft would be able to rush out a fix back then.

That didn’t happen, perhaps because Microsoft had already published a Fix it tool that prevented the bug from showing its face, but the TIFF fix did make it into this month’s patches.

Not fixed yet is the recently-announced zero-day in the Windows XP (and Server 2003) kernel driver NDPROXY.SYS, part of the telephony API.

That hole doesn’t itself allow crooks to break into your computer, but if they are already in (or find a way in), this bug allows what’s called an Elevation of Privilege, or EoP.

It looks as though patching this XP kernel hole will have to wait until next month – after which, of course, there will only be three official monthly updates to go before XP is put out to pasture forever.

As we mentioned before, this Patch Tuesday affects:

  • Windows end-user operating systems
  • Windows server operating systems
  • Office
  • Lync
  • Internet Explorer
  • Exchange
  • Microsoft Developer Tools

Server Core installs need patching too, along with all other versions of Windows, and a reboot is required.

Time, therefore, to get busy!

Happy patching, and don’t forget that if you still have XP, you’re running out of patches and ought already to have prepared for the end of XP in April 2014.

Get advice about dealing with the end of XP:

(Audio player not working? Download MP3, or listen on Soundcloud.)