News Stay informed about the latest enterprise technology news and product updates.

Final Patch Tuesday of 2013 includes critical Exchange Server, IE fixes

Microsoft patched critical vulnerabilities in Exchange and Internet Explorer in December's Patch Tuesday, rounding out a busy year for administrators.

The last Patch Tuesday of 2013 will have admins busy implementing a number of critical and important security updates.

The latest round of Patch Tuesday security updates includes 11 bulletins, five of which are critical. All five critical bulletins address remote code execution vulnerabilities.

This brings the total 2013 bulletins to 106 and marks an end to the trend of fewer bulletins  in 2011 and 2012.

Bulletin MS13-105 includes security fixes that address four critical vulnerabilities affecting Exchange Server 2007, Exchange Server 2010 and Exchange Server 2013.

The vulnerability, which is found in the Data Loss Prevention and WebReady Document Viewing features, could be exploited if attackers send an email to end users on affected servers. If the emails are opened on Outlook Web Access, the attacker could compromise the entire Exchange Server, according to Amol Sarwate, director of Redwood Shores, Calif.-based IT security firm Qualys Inc.'s vulnerability labs.

The security fix involves updating the Oracle Outside In library, which has received multiple fixes in 2013's Patch Tuesday cycles.

Another critical bulletin addresses a vulnerability in multiple versions of Microsoft Office, Microsoft Lync and Windows. This vulnerability in MS13-098 could be exploited if end users open a malicious tag image file format (TIFF).  Last month, this was the subject of a zero-day attack that Microsoft released a workaround for.

Despite that, "not many people implement these workarounds. Maybe 10% of people who installed the patch [also implemented] the workaround," said Wolfgang Kandek, CTO of Qualys.

Kandek also noted that the TIFF vulnerability affects both the operating system level and the application level. While it affects Windows Vista and Windows Server 2008, if an enterprise is running a newer version, it's still not fully protected if it's running Office versions dated from 2003 to 2010.

These issues should give IT pros reason to consider abandoning older version of the software in favor of newer versions, Kandek said.

"These flaws, these zero days, I think they illustrate that the older the software it is, the more susceptible the software [to attack]," said Kandek.

Multiple versions of Internet Explorer will receive critical security updates for seven vulnerabilities, which could be exploited if end users view a malicious webpage with an affected browser.

Other critical security updates include fixes for a Windows vulnerability that could be exploited through affected portable execution files. There is also an update for a vulnerability in Microsoft Scripting Runtime Object Library, which could be exploited if an end user visits a malicious website.

The six important security updates include fixes for remote code execution, elevation of privilege, information disclosure and security feature bypass vulnerabilities.

Microsoft Office will receive security updates from two bulletins. One bulletin addresses an information vulnerability that could be exploited if end users try opening Office files on malicious websites. The other bulletin addresses a security feature bypass vulnerability, which could be exploited with a web-browsing attack. This vulnerability could also be exploited in conjunction with another vulnerability.  

Other important security updates address issues in SharePoint, Windows kernel-mode drivers, the LRPC client and ASP.NET SignalR.

The complete list of updates can be found here.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.