Microsoft has just released advance details of the patches that are scheduled to be on Tuesday, December 10. The details currently are available at http://technet.microsoft.com/en-us/security/bulletin/ms13-dec
There are a total of eleven bulletins to be released, five of which are identified as CRITICAL. Microsoft has indicated that operating system restarts will be required for Bulletins 1-3. Bulletin #4 may require a restart and Bulletin #5 is not expected to require an operating system restart. Bulletins designated as #6-11 are assigned a severity of IMPORTANT.
Critical patches apply to the following products:
Bulletin #1 – CRITICAL
Workstation Operating Systems
- Windows Vista (32 and 64 bit)
Server Operating Systems
- Server 2008 (32, 64 bit and Itanium) *Note – Server core installations of Server 2008 are also affected.
Office applications and products
- Office 2003, 2007 and 2010 (including 32 and 64 bit versions of Office 2010 SP1 and SP2)
Communication applications and products
- Lync 2010 and Lync 2010 attendee (both 32 and 64 bit versions)
*Note – bulletins for Lync are designated as IMPORTANT as opposed to CRITICAL
Bulletin #2 – CRITICAL
Workstation Operating Systems (Windows XP, Vista, Windows 7, Windows 8 & 8.1 and Windows RT & RT8.1)
Web Browsers
- Internet Explorer versions 6-11
Server Operating Systems – IMPORTANT
Web Browsers
- Internet Explorer versions 6-11
*Note – Server core installations for Server 2008 systems are NOT affected by the Internet Explorer vulnerabilities
Bulletin #3 – CRITICAL
Workstation Operating Systems
- Windows XP
- Vista
- Windows 7
- Windows 8 & 8.1
- Windows RT & RT8.1
Server Operating Systems – Server core only installations are also designated as CRITICAL
- Server 2003 (32, 64 bit and Itanium)
- Server 2008 (32, 64 bit and Itanium)
- Server 2008R2 (64 bit and Itanium)
Bulletin #4 – CRITICAL
Workstations Operating Systems
- Windows XP
- Vista
- Windows 7
- Windows 8 & 8.1
- Windows RT & RT8.1
Server Operating Systems – Server core only installations are also designated as CRITICAL
- Server 2003 (32, 64 bit and Itanium)
- Server 2008 (32, 64 bit and Itanium)
- Server 2008R2 (64 bit and Itanium)
Bulletin #5 – CRITICAL
Server software
- Exchange 2007, 2010 and 2013
Additional details will be available after 12 (noon) central time on Tuesday, December 10.
Update December 11 – 8:00 am
Microsoft has just released the patches for December. It was as expected mostly. Microsoft has done a better job than normal about explaining some deployment priorities – the link to that is http://blogs.technet.com/b/msrc/archive/2013/12/10/omphaloskepsis-and-the-december-2013-security-update-release.aspx . They suggest deploying MS13-096/097 and 099 as rapidly as possible. And I would say the workstations should be the biggest focus as it stands.
MS13-096 – is a patch for the single vulnerability in windows GDI+ for TIFF files that was being exploited. MS13-097, is an update to IE that patches seven privately reported vulnerabilities that are likely to be exploited in the near future. MS13-099 is a single vulnerability in VBScript that could be exploited via ActiveX that also will likely see exploits in the near future. MS13-098 is a vulnerability in Windows that that could allow remote code execution if a specially crafted portable executable file was run.
Most of the other vulnerabilities concern server or communication products and have been assigned IMPORTANT security designations.
Update 2 – December 11
Late in the day on Dec 10, Adobe also released updates for Flash and Air. Details are available at – http://helpx.adobe.com/security/products/flash-player/apsb13-28.html