Patch Tuesday December 2013 - TIFF exploit patched, XP kernel flaw not fixed yet

Filed Under: Featured, Malware, Microsoft, Vulnerability

The updates for Microsoft's December 2013 Patch Tuesday are out.

As promised, there are eleven bulletins, with six of them fixing remote code execution holes.

Five of those are rated by Microsoft as critical.

Fortunately, only one of them gets the most severe rating from SophosLabs - a level we also denote with the word "Critical," as a way of noting an exploit that is either already being used by malware, or about to be used.

That rating was given to bulletin MS13-096, which patches a hole known as CVE-2013-3096, a bug in how Windows handles TIFF files.

In-the-wild abuse of this vulnerability was reported just before November's Patch Tuesday, and anyone who isn't a cybercrook hoped that Microsoft would be able to rush out a fix back then.

That didn't happen, perhaps because Microsoft had already published a Fix it tool that prevented the bug from showing its face, but the TIFF fix did make it into this month's patches.

Not fixed yet is the recently-announced zero-day in the Windows XP (and Server 2003) kernel driver NDPROXY.SYS, part of the telephony API.

That hole doesn't itself allow crooks to break into your computer, but if they are already in (or find a way in), this bug allows what's called an Elevation of Privilege, or EoP.

It looks as though patching this XP kernel hole will have to wait until next month - after which, of course, there will only be three official monthly updates to go before XP is put out to pasture forever.

As we mentioned before, this Patch Tuesday affects:

  • Windows end-user operating systems
  • Windows server operating systems
  • Office
  • Lync
  • Internet Explorer
  • Exchange
  • Microsoft Developer Tools

Server Core installs need patching too, along with all other versions of Windows, and a reboot is required.

Time, therefore, to get busy!

Happy patching, and don't forget that if you still have XP, you're running out of patches and ought already to have prepared for the end of XP in April 2014.

Get advice about dealing with the end of XP:

(Audio player not working? Download MP3, or listen on Soundcloud.)

, , , ,

You might like

8 Responses to Patch Tuesday December 2013 - TIFF exploit patched, XP kernel flaw not fixed yet

  1. Joshua B. · 666 days ago

    I have a laptop much too old but still in great condition to even think about upgrading... The whole "much too old" thing really prevents me from upgrading because of the hardware on it. I think I'll just switch it to Linux instead, since even the latest Linux OS can run on older hardware just fine.

    • des · 666 days ago

      Can anyone get Linux?

      • Anonymous · 666 days ago

        Yes, and has links to basically any linux distro you can think of

      • MikeP_UK · 666 days ago

        Yes, it's free for personal use. There are various versions and some are easier to use than others. The good bit is that you can download it free, burn it to a CD or DVD and then try it our from the CD/DVD before any attempt to install it. Trying it that way makes no changes to your current system, let's you decide which version your prefer and then you can install that after trying it for a while.
        And it's not Microsoft!

        • TK · 665 days ago

          Of course for most people the name of the game is the applications they want/need to use. A different OS means different applications in most cases. Whilst there are some pretty good analogs of the popular Windows apps, having to change all your apps because you changed OS is not something to treat as an afterthought.

          • Anonymous · 532 days ago

            @TK - Linux gives you a wider choice of applications and customizability. Most Windows programs will run in WINE (Windows Program Layer Emulator) and should work fine.

  2. John C. · 665 days ago

    For those who have older machines for which you don't wish to invest the cost of a Windows upgrade, using Linux in the post-XP era might be a good choice. It's definitely worth a try, but I think for most people the windows-based application sofware that will not work with Linux will be a barrier. Another thing to consider is that the primary reason Windows has so many vulnerabilities is that it is the most widely used OS, so the bad guys devote most of their efforts against it. In other words, it's not that OSX and Linux are hack-proof. It is only a matter of time until other OS's are targeted too.

    We are fortunate that Microsoft provides years of free patches for their products. Those of us who deal with commercial software in our jobs are used to approving invoices for tens of thousands of dollars for software support agreements.

    • Justin Ong · 665 days ago

      The problem with Linux is there is a learning curve to it. It's not like Mac Os or Windows where its just turn on and use. Some of the Linux distro also don't have drivers for hardware in the PC.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog