This month, Microsoft plans to release 11 patches for security issues affecting its software, including a TIFF zero-day flaw that could allow remote code execution (RCE).
The tech giant provided a preview of its Patch Tuesday release on Thursday on its Security TechCenter site.
Among the 11 bulletins to be dispatched on Dec. 10, five address critical RCE flaws in Windows, Office, Internet Explorer, Exchange and Microsoft Lync, an instant messaging client.
The remaining six patches ranked “important” will plug elevation of privilege bugs in Windows and Developer Tools, and vulnerabilities that allow an attacker to bypass security features in Office or disclose users' information by exploiting the software.
A remote code execution vulnerability in Office and Microsoft Server will also be addressed in the Patch Tuesday release.
Of note, one of the critical RCE patches scheduled for Tuesday fixes a zero-day vulnerability (CVE-2013-3906) discovered early last month that exists in the way affected components handle specially crafted TIFF images. By exploiting the bug (which attackers did), saboteurs could gain the same user rights as individuals they've targeted.
One serious hole that won't be plugged with the monthly update, is a zero-day vulnerability (CVE-2013-5065) affecting Windows XP and Windows Server 2003 users, which has already been leveraged in targeted attacks. That bug, discovered last week, could escalate an attacker's privileges, eventually allowing them to install programs, access and modify data, or create accounts with full administrative rights.
The security community is particularly concerned about the Windows XP threat, as many enterprises haven't migrated off the 12-year-old operating system that reaches its end-of-life in just four months.