Microsoft likely to patch zero-day next week

Summary:It looks like a fairly busy Patch Tuesday in December. There are two open zero-day vulnerabilities in Windows. It's likely there will be a patch for one, but not the other.

Microsoft released their Security Bulletin Advance Notification for December 2013 today. Next Tuesday, December 10, Microsoft will issue 11 security bulletins fixing an as-yet unspecified number of vulnerabilities. Five of the bulletins contain at least one critical vulnerability.

The affected products are Microsoft Windows, Office, Lync, Internet Explorer, Exchange, Visual Studio Team Foundation Server 2013 and ASP.NET SignalR.

There are currently two public zero-day vulnerabilities in Windows being exploited in the wild:  A bug in TIFF parsing  in some, generally older, versions of Windows and Office; and  a local privilege escalation vulnerability in Windows XP and Server 2003 .

Wolfgang Kandek, CTO of Qualys, thinks it likely that the TIFF vulnerability will be patched, but not the local privilege escalation bug. The latter is probably too recent to have made it through the process, and the fact that it's limited to XP and Server 2003 doesn't help to raise its priority at Microsoft. Both zero-day vulnerabilities have effective workarounds described by Microsoft.

Qualys also posted an interesting chart of the number of bulletins published by Microsoft over the last four years, assuming this coming Tuesday closes the book on 2013.

Microsoft.Bulletins.2010-2013

The overall number of bulletins released over time hasn't changed radically. Microsoft has become more regular in the release compared to 2010 and 2011, although  things went awry a few months ago .

Topics: Security, Microsoft, Windows, Windows Server

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.