Microsoft likely to patch zero-day next week

Microsoft likely to patch zero-day next week

Summary: It looks like a fairly busy Patch Tuesday in December. There are two open zero-day vulnerabilities in Windows. It's likely there will be a patch for one, but not the other.


Microsoft released their Security Bulletin Advance Notification for December 2013 today. Next Tuesday, December 10, Microsoft will issue 11 security bulletins fixing an as-yet unspecified number of vulnerabilities. Five of the bulletins contain at least one critical vulnerability.

The affected products are Microsoft Windows, Office, Lync, Internet Explorer, Exchange, Visual Studio Team Foundation Server 2013 and ASP.NET SignalR.

There are currently two public zero-day vulnerabilities in Windows being exploited in the wild: A bug in TIFF parsing in some, generally older, versions of Windows and Office; and a local privilege escalation vulnerability in Windows XP and Server 2003.

Wolfgang Kandek, CTO of Qualys, thinks it likely that the TIFF vulnerability will be patched, but not the local privilege escalation bug. The latter is probably too recent to have made it through the process, and the fact that it's limited to XP and Server 2003 doesn't help to raise its priority at Microsoft. Both zero-day vulnerabilities have effective workarounds described by Microsoft.

Qualys also posted an interesting chart of the number of bulletins published by Microsoft over the last four years, assuming this coming Tuesday closes the book on 2013.


The overall number of bulletins released over time hasn't changed radically. Microsoft has become more regular in the release compared to 2010 and 2011, although things went awry a few months ago.

Topics: Security, Microsoft, Windows, Windows Server

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • MS Patches

    Well - As always the ceitics will be out hot and heavy tomorrow with all of the usual crud and the Apple and linux boys will have plenty to say... just saying - always something to fill the day...
    • They're probably spending their time thusly

      Camping out at a Microsoft store waiting for WinPhone 10.
  • Patches on a system not used on said system

    Heh, I'm aLinux Windows Mac guy (Brands? not for_me), running the machines engages in making revenue on Linux and Mac's, Though having three Winboxes running only custom build from src/not! using MSVC compilers,, apps so I don't need to care about these patches on those WinBoxes. Most of the apps built using secured execution run with encryptions at least twice as high as M$ own, many ten times as high, so the for patches of ancient types . . . . . .
    That I cant rebuild due to closed source, makes no sense.
    All boxes are on 100/100 internet sockets, running without any AV or security extras.

    So the kernel of the pudel are the centralized “storage in registry” structure of Windows and most MSVC built apps.

    Quit such builds and start engage in constructive computing, even on WinBoxes.
    • Word salad

      Looks like the typing of 100 monkeys.
  • Microsoft created the problem!

    It's time for Windows XP users to sue Microsoft for their buggy operating sytem. They created all these problems by not properly testing and auditing the programs before releasing them to the cosumers. The comsumers cannot correct these problems - only Micorsoft can. It's time to get Microsoft off of their high horse and fix the faulty operating system programs.
    • Indeed try to make programmers become more responsible

      According to first law of Stephen Covey, "Be Proactive", we can't blame anyone for our substandard output. We are responsible for those things we create.

      Someone or all of us, netizens, must make a stand against lousy programmers, and un-audited, buggy, vulnerable software without proper quality assurance, product control from software companies. They can't just stare at their profits, they must ensure safety of their customers. I wonder who approved those disclaimers which pops-up before any software installation.
    • Re: MS created the problem

      Spoken like a true Linux, Apple shill/ zealot!. MS has retired/ stopped support of XP! What planet did you just drop in from?? MS has for months, possibly a year, told people that ALL support for XP is over, done, kaput, ain't a gonna be no more. "IF" anyone expects more support for a "NO LONGER VALID" operating system, "THEN ANY PROBLEMS THEY ENCOUNTER ARE STRICTLY THEIRS"!! Nobody Else's! That's akin to today, trying to sue Ford for safety defects on their Model "T". Do you by chance live in Colorado where they just legalized marijuana and are taking a hit while typing???????? Your post makes ABSOLUTELY no sense!!!!!!!!!!!!! Other than a shill/ zealot for another OS!
      • XP support

        I just installed an update to XP yesterday. That belies your "MS has retired/ stopped support of XP!" statement. If fact, XP will be supported until April.

        Stop spreading FUD/disinformation.
    • Apparently,

      You have not read the Microsoft EULA. Nice site has the EULA for Windows XP Home in plain English instead of "lawyerese":

      Section 15: Microsoft assures you that Windows XP Home will work correctly for the first 90 days. They do not assure you that Windows XP Home or any “service packs” or “hot fixes” will work correctly after this time.
      Microsoft is not responsible for anything that happens to your computer, lost time, lost documents, etc. that happens as a result of using Windows XP Home.
      If Windows XP Home causes damage or otherwise misbehaves, Microsoft may choose to refund the price you paid for Windows XP Home or replace Windows XP Home. In either case, you are responsible for all related charges (such as shipping).
      Microsoft will never have to pay you more than the price you originally paid for Windows XP Home.
      Microsoft will not be liable for any damages caused by viruses, even if those viruses are the result of security problems in Windows XP Home.

      And Section 17: Microsoft is not responsible for any damages. This includes loss of profit, the release of confidential information, or the loss of your privacy.
      Microsoft is further not liable for failing to use “good faith,” “reasonable care” or for negligence.
      Microsoft is not liable even if they break the terms of this agreement.

      So it seems that Microsoft doesn't HAVE to fix issues in their software since there really isn't any recourse for us.
    • .

      Could be worse, could be like OSX where they drop support after 18 months. A bit short considering it costs an extra $1000 to get OSX on a $800 laptop.
    • Time for XP user to sue Microsoft, really??

      Let's see...

      Microsoft re-wrote a large chunk of XP back with sp2 making it *much more* secure. Then, they've kept supporting it (at least from a security perspective) for 12 years (which is about 10 years longer than some of their competitor products).

      Yes, it's time for XP users to give up and get an operating system whose design dates from this millennium (yeah, XP shipped in 2001, but the "keel" of that ship was probably put in place in 1999). But, if they want to run an OS for 10 years and get security support that whole time, that OS had better start with the word "Windows".
  • Hummm...

    It sounds a bit like MS giving up support for XP earlier than they told.
    • XP security patch support ends next April

      That date was set when Vista shipped back in early 2007 (it got mainstream support for two years past Vista's formal ship date and another 5 years of "extended" support (which includes security patches) beyond that). Microsoft's "support lifecycle" is a bit convoluted in places, but it all makes sense, and it makes life *very* predictable.