Tripwire's Tyler Reguly says that considering all that's being patched this month, it seems as if Redmond forgot to include the kitchen sink. Next week, Microsoft ends 2013 with 11 bulletins, offering a slightly slower end-of-year patch cycle, but there's still plenty to keep IT teams busy.
For the final Patch Tuesday of 2013, Microsoft will release five critical and six important bulletins, addressing flaws in every supported version of Windows, as well as all supported versions of Internet Explorer. Office is in the mix, as well as Exchange, SharePoint, and various developer tools.
"With 11 bulletins this month, Microsoft will easily break 100 patches in 2013, beating last years' numbers and even exceeding 2011's December 29th release of MS11-100. System administrators everywhere must have made Microsoft's naughty list because this holiday 'gift' is clearly a lump of coal," said Taylor Reguly, Tripwire's technical manager of security research.
"Microsoft is wrapping up the 2013 patch season with anything that was laying around. We're seeing patches for ASP.NET SignalR, Office, Exchange 2013, SharePoint 2013, and Lync 2013, as well as every version of Windows and Internet Explorer. Someone should tell Microsoft they forgot to include the kitchen sink."
Given that it is flagged as an elevation of privilege issue, there's speculation that Bulletin 8 might be a fix for the Windows XP Zero-Day that's circulating around online. But as usual Microsoft doesn't disclose the exact nature of a pending security fix until the day it drops, so we'll have to wait and see.
However, this month's patches will fix the GDI+ vulnerability disclosed last month, which is actively being targeted. The flaw, addressed in MSA 2896666 is rather evil (see what I did there?), as it impacts Windows, Office, and Lync. The targeted attacks are focused on Windows XP and Office 2007.
The advance notification, which also doubles as the final list of fixes come Tuesday, is available here.