On Tuesday, Microsoft published a bulletin summary explaining the vulnerabilities and their impact on users. The company made 11 patches available for the 24 bugs.
Dustin Childs, group manager for response communications for Microsoft Trustworthy Computing, wrote on the company's Technet blog on Tuesday that the patches, or “bulletins,” that should be top of mind for users are MS13-096, MS13-097, MS13-099, which rectify critical remote code execution (RCE) flaws in Windows, Office, Internet Explorer and Microsoft Lync, an instant messaging client.
Bulletin MS13-096 specifically addresses the TIFF zero-day vulnerability (CVE-2013-3906) discovered early last month. This hole exists in the way affected components handle specially crafted TIFF images. Saboteurs successfully exploited the bug, and were able to gain the same user rights as targeted individuals, Microsoft revealed via a November advisory.
Two additional bulletins deemed “critical” were also released on Tuesday: MS13-098, which fixes an RCE vulnerability in Windows, and MS13-105, a patch for another RCE bug impacting Exchange.
The remaining six patches in the December update plugged vulnerabilities ranked “important”: RCE bugs in SharePoint Server, elevation of privilege vulnerabilities in Windows and Developer Tools, and Office flaws that could allow an attacker to bypass the Address Space Layout Randomization (ASLR) security feature and steal users' access tokens.
MS13-104 addresses the token hijacking vulnerability (CVE-2013-5054) affecting Office 2013. Noam Liran, chief software architect at Adallom, a Menlo Park, a US-based software-as-a-service (SaaS) security start-up, reported the bug to Microsoft.
In a Tuesday interview with SCMagazineUK.com, Liran said that the company detected the threat when an attacker attempted to exploit the bug while targeting an Adallom client.
To exploit the bug and take users' credentials, an attacker would simply need to trick a user into opening a malicious Office document, such as Word, PowerPoint or Excel, Liran explained.
“Simply [put], it's a hit and run,” Liran said. “You open a document and it gets your Office credentials. You really don't know that, in the background, your token is now in the hands of someone else.”