Microsoft Issues Five 'Critical' Security Fixes

Microsoft has issued eleven security bulletins as part of its final Patch Tuesday of 2013.

One of those bulletins addresses a zero-day flaw found in Windows XP, while another fixes a remote code execution vulnerability in the firm's web browser, Internet Explorer.

In total, Microsoft's December Patch Tuesday includes five patches rated "critical", Microsoft's most alarming security classification.

Windows XP TIFF Vulnerability Finally Addressed

The first critical fix, MS13-096, addresses a TIFF image file vulnerability exploited via Word, Microsoft's word processing application. The good news: only Windows XP users are affected.

"In this vulnerability, an attacker needs to convince a user to preview or open a bad TIFF image for exploitation," says Paul Henry, a security analyst at Lumension.

"Because we know persuading users to click isn't always that hard to do, a patch for this one is definitely welcome." (Source: theinquirer.net)

Remote Code Execution a Prominent Theme

A second critical fix, MS13-097 (which requires a system restart), deals with several flaws in Microsoft's Internet Explorer browser. If left unpatched, the vulnerabilities could allow a hacker to remotely take control of a targeted system.

This fix applies to every version of Internet Explorer since IE6 and every operating system (OS) since Windows XP. Yes, that means both Internet Explorer 11 and Windows 8.1 are affected.

A third fix, MS13-099, is designed to eliminate a bug in Microsoft's scripting runtime object library. Microsoft says it too could allow for remote code execution.

That leaves critical fixes MS13-098 and MS13-105. The former fixes a problem in Windows, while the latter addresses issues in Microsoft Exchange Server. Both are said to allow for remote code execution.

There are also six patches rated "important". Most of these fixes address slightly less serious problems affecting enterprise software and Microsoft Office.

Microsoft says that one of those patches, MS13-100, "resolves multiple privately reported vulnerabilities in Microsoft Office server software" that "could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server." (Source: networkworld.com)