Microsoft likely to patch zero-day next week

Microsoft released their Security Bulletin Advance Notification for December 2013 today. Next Tuesday, December 10, Microsoft will issue 11 security bulletins fixing an as-yet unspecified number of vulnerabilities. Five of the bulletins contain at least one critical vulnerability.

The affected products are Microsoft Windows, Office, Lync, Internet Explorer, Exchange, Visual Studio Team Foundation Server 2013 and ASP.NET SignalR.

There are currently two public zero-day vulnerabilities in Windows being exploited in the wild: A bug in TIFF parsing in some, generally older, versions of Windows and Office; and a local privilege escalation vulnerability in Windows XP and Server 2003.

Wolfgang Kandek, CTO of Qualys, thinks it likely that the TIFF vulnerability will be patched, but not the local privilege escalation bug. The latter is probably too recent to have made it through the process, and the fact that it's limited to XP and Server 2003 doesn't help to raise its priority at Microsoft. Both zero-day vulnerabilities have effective workarounds described by Microsoft.

Qualys also posted an interesting chart of the number of bulletins published by Microsoft over the last four years, assuming this coming Tuesday closes the book on 2013.

The overall number of bulletins released over time hasn't changed radically. Microsoft has become more regular in the release compared to 2010 and 2011, although things went awry a few months ago.