Microsoft Security Bulletins for December 2013 Overview

Another month, and another round of Microsoft Security Bulletins …

The last Microsoft patch day of 2013 is here and Microsoft has just pushed the new updates to Windows Update. If you check for new updates right now, your installation of Windows should pick them up and install them if automatic updates are configured.

Microsoft has released a total of 11 security bulletins this month, that patch a total of 24 different vulnerabilities. Five of the bulletins have received the highest severity rating of critical, while the remaining six an important rating.

The information below provide you with all the details that you need to understand, download, and deploy the bulletins to protect affected systems and software.

In particular, you will receive information about the operating system, Office and server distribution of bulletins, a suggested deployment guide,  links to each bulletin and non-security updates for additional information, as well as information on how to download and install those updates.

Operating System Distribution

The least affected client operating system are Windows 8, Windows 8.1 and Windows 7 this time with three critical and 1 important bulletin.

Windows XP is affected by three critical and two important bulletins, and Vista by four critical bulletins and one important one.

On the server side, Windows Server 2008 R2 and Windows Server 2012 are the least affected with two critical and two important bulletins each.

Windows Server 2003 is affected by two critical and three important bulletins, and Windows Server 2008 by three critical and two important bulletins.

  • Windows XP: 3 critical, 2 important
  • Windows Vista: 4 critical, 1 important
  • Windows 7:  3 critical, 1 important
  • Windows 8:  3 critical, 1 important
  • Windows 8.1: 3 critical, 1 important
  • Windows RT: 3 critical, 1 important
  • Windows RT 8.1: 3 critical, 1 important
  • Windows Server 2003: 2 critical, 3 important
  • Windows Server 2008: 3 critical, 2 important
  • Windows Server 2008 R2: 2 critical, 2 important
  • Windows Server 2012: 2 critical, 2 important

Office Distribution

A total of three bulletins address vulnerabilities in Microsoft Office software. This time, Microsoft Office 2013 is the least affected with one bulletin that has been rated important. Then there is Office 2003 with one critical bulletin, and Office 2007 and Office 2010 which are both affected by vulnerabilities in two bulletins rated as critical and important.

  • Microsoft Office 2003: 1 critical
  • Microsoft Office 2007: 1 critical, 1 important
  • Microsoft Office 2010: 1 critical, 1 important
  • Microsoft Office 2013: 1 important

Microsoft Server Software

Two bulletins address vulnerabilities in Microsoft Server this month. The following list details which server products are affected this month, and how severely.

  • Microsoft Exchange Server 2007: 1 critical
  • Microsoft Exchange Server 2010: 1 critical
  • Microsoft Exchange Server 2013: 1 critical
  • Microsoft SharePoint Server 2013: 1 important

Deployment Guide

deployment priority

Each month, Microsoft releases a deployment guide that  weights the different bulletins in terms of importance.  This goes beyond the severity rating of each bulletin, as the company suggests the order of bulletin installation.

While designed for Enterprise customers, system and network administrators in particular, it can also be of use to tech savvy users and others who test bulletins first before they are deployed on live systems.

It should be clear that the deployment priority may change depending on the installed software and system used.

  • Tier 1 updates: MS13-096 GDI+, MS13-097 Internet Explorer, MS13-099 Scripting Runtime
  • Tier 2 updates: MS13-098 Windows, MS13-105 Exchange, MS13-100 SharePoint, MS13-101 KMD, MS13-102 Windows LPC
  • Tier 3 updates: Ms13-103 SignalR, Ms13-104 Office, MS13-106 Office ASLR

Microsoft has released an updated table this month that highlights the Deployment Priority, Severity and XI. In addition to highlighting the bulletins, products and priority, it also highlights the exploit index, maximum impact and disclosure.

Security Bulletins

  • MS13-096Vulnerability in Microsoft Graphics Component Could allow Remote Code Execution (2908005)
  • MS13-097Cumulative Security Update for Internet Explorer (2898785)
  • MS13-098Vulnerability in Windows Could Allow Remote Code Execution (2893294)
  • MS13-099 Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution (2909158)
  • MS13-105Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)
  • MS13-100Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2904244)
  • MS13-101Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430)
  • MS13-102Vulnerability in LRPC Client Could Allow Elevation of Privilege (2898715)
  • MS13-103 Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege (2905244)
  • MS13-104Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)
  • MS13-106 Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass (2905238)

Other security-related information

Security Advisory 2916652 has been released. It describes an update of the Certificate Trust List (CTL) for all supported versions of Windows. A third-party digital certificate that was trusted before has been removed from the list to protect Windows systems against spoofing and man-in-the-middle attacks.

Security Advisory 2905247  describes an issue in ASP.Net that could allow the elevation of privilege. The advisory suggests that administrators harden the security by making configuration changes.

Security Advisory 2871690 notifies customers that an update for Windows 8 and Windows Server 2012 is available that revokes digital signatures for specific UEFI modules.

Security Advisory 2915720 finally informs about a change to how Windows verifies Authenticode-signed binaries.

Non-security related updates

  • Update for Windows 7 and Windows Server 2008 R2 (KB2847077)
  • Update Rollup for Microsoft Windows MultiPoint Server 2012 (KB2864239)
  • Update for Windows 8, Windows RT, and Windows Server 2012 (KB2877213)
  • Update for Windows 8, Windows RT, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB2891804)
  • Update for Microsoft Camera Codec Pack for Windows 8.1 and Windows RT 8.1 (KB2899189)
  • Update for Microsoft Camera Codec Pack for Windows 8 and Windows RT (KB2899190)
  • Update for Windows 8, Windows RT, and Windows Server 2012 (KB2903938)
  • Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2903939)
  • Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP (KB2904266)
  • Update for Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB2905454)
  • Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2907791)
  • Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2907800)
  • Update for Windows 8.1 and Windows RT 8.1 (KB2909569)
  • Update for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2 (KB2913152)
  • Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2913253)
  • Update for Windows 8.1 and Windows RT 8.1 (KB2913320)
  • Windows Malicious Software Removal Tool – December 2013 (KB890830)/Windows Malicious Software Removal Tool – December 2013 (KB890830) – Internet Explorer Version
  • Update for Windows 8, Windows RT, and Windows Server 2012 (KB2889784)
  • Rules Update for Direct Access Best Practice Analyzer for Windows Server 2012 (KB2896496)
  • Update for Windows 8.1 (KB2913236)
  • Language Packs for Windows RT (KB2607607)
  • Language Packs for Windows RT 8.1 (KB2839636)
  • Microsoft .NET Framework 4.5.1 (KB2858725)
  • Microsoft .NET Framework 4.5.1 Upgrade Language Packs (KB2858725)
  • Microsoft .NET Framework 4.5.1 Language Packs for Windows Server 2012 (KB2858726)
  • Microsoft .NET Framework 4.5.1 for Windows Server 2012 x64-based Systems (KB2881468)
  • Rules Update for Direct Access Best Practice Analyzer for Windows Server 2012 (KB2896496)
  • Update for Windows 8.1 (KB2904594)
  • Internet Explorer 11 for Windows 7 and Windows Server 2008 R2 (KB2841134)

How to download and install the December 2013 security updates

windows updates december 2013

All security updates are available via Windows Update. This is the recommended update tool for the majority of users. Most systems are configured to download and install the updates automatically.

If you want to speed up things, you may want to check for updates manually instead on your system, to download and install the updates right away and not when Windows discovers them.

To do so, tap on the Windows key, enter Windows Update, and select the result from the listing. This should open the Windows Update dialog that you can use to check for new updates.

Some users may not want to use automatic updates for that. This is for instance the case if the updates need to be deployed on multiple systems. While it is possible to download them individually on each system, it does not really make sense to do so from a bandwidth perspective.

Instead of having to download the same updates multiple times, you could instead download them once and deploy them afterwards on each system, even without an active Internet connection.

Another reason for not wanting to use automatic updates is if you want to test updates before they become available.

Updates can be downloaded via third party tools, or directly from Microsoft’s Download Center.

Additional information

You can access this month’s Security Bulletin summary on this page on the Microsoft website. Additional information about this month’s updates are available at the Microsoft Security Response Center blog.

If you prefer video, here is Microsoft’s Update Tuesday overview for December 2013.

Link to Original Content

Tags: , , , ,

Comments are closed.