Advance notice of December Microsoft patches – to be released on Dec 10

Microsoft has just released advance details of the patches that are scheduled to be on Tuesday, December 10. The details currently are available at  http://technet.microsoft.com/en-us/security/bulletin/ms13-dec

There are a total of eleven bulletins to be released, five of which are identified as CRITICAL.  Microsoft has indicated that operating system restarts will be required for Bulletins 1-3. Bulletin #4 may require a restart and Bulletin #5 is not expected to require an operating system restart.  Bulletins designated as #6-11 are assigned a severity of IMPORTANT.

Critical patches apply to the following products:

Bulletin #1 – CRITICAL

Workstation Operating Systems

  • Windows Vista (32 and 64 bit)

Server Operating Systems

  • Server 2008 (32, 64 bit and Itanium) *Note – Server core installations of Server 2008 are also affected.

Office applications and products

  • Office 2003, 2007 and 2010 (including 32 and 64 bit versions of Office 2010 SP1 and SP2)

Communication applications and products

  • Lync 2010 and Lync 2010 attendee (both 32 and 64 bit versions)

*Note – bulletins for Lync are designated as IMPORTANT as opposed to CRITICAL

 

Bulletin #2 – CRITICAL

Workstation Operating Systems (Windows XP, Vista, Windows 7, Windows 8 & 8.1 and Windows RT & RT8.1)

Web Browsers

  • Internet Explorer versions 6-11

Server Operating Systems – IMPORTANT

Web Browsers

  • Internet Explorer versions 6-11

*Note – Server core installations for Server 2008 systems are NOT affected by the Internet Explorer vulnerabilities

 

Bulletin #3 – CRITICAL

Workstation Operating Systems

  • Windows XP
  • Vista
  • Windows 7
  • Windows 8 & 8.1
  • Windows RT & RT8.1

Server Operating Systems – Server core only installations are also designated as CRITICAL

  • Server 2003 (32, 64 bit and Itanium)
  • Server 2008 (32, 64 bit and Itanium)
  • Server 2008R2 (64 bit and Itanium)

 

Bulletin #4 – CRITICAL

Workstations Operating Systems

  • Windows XP
  • Vista
  • Windows 7
  • Windows 8 & 8.1
  • Windows RT & RT8.1

 Server Operating Systems – Server core only installations are also designated as CRITICAL

  • Server 2003 (32, 64 bit and Itanium)
  • Server 2008 (32, 64 bit and Itanium)
  • Server 2008R2 (64 bit and Itanium)

Bulletin #5 – CRITICAL

Server software

  • Exchange 2007, 2010 and 2013

Additional details will be available after 12 (noon) central time on Tuesday, December 10.

 

Update December 11 – 8:00 am

 

Microsoft has just released the patches for December. It was as expected mostly. Microsoft has done a better job than normal about explaining some deployment priorities – the link to that is http://blogs.technet.com/b/msrc/archive/2013/12/10/omphaloskepsis-and-the-december-2013-security-update-release.aspx  . They suggest deploying MS13-096/097 and 099 as rapidly as possible. And I would say the workstations should be the biggest focus as it stands.

MS13-096  –  is a patch for the single vulnerability in windows GDI+ for TIFF files that was being exploited. MS13-097, is an update to IE that patches seven privately reported vulnerabilities that are likely to be exploited in the near future. MS13-099 is a single vulnerability in VBScript that could be exploited via ActiveX that also will likely see exploits in the near future.  MS13-098 is a vulnerability in Windows that that could allow remote code execution if a specially crafted portable executable file was run.

Most of the other vulnerabilities concern server or communication products and have been assigned IMPORTANT security designations.

Update 2 – December 11

Late in the day on Dec 10, Adobe also released updates for Flash and Air. Details are available at - http://helpx.adobe.com/security/products/flash-player/apsb13-28.html

 

Tags:

Categories: Uncategorized