Microsoft has announced that next week’s November 2013 Patch Tuesday will have eight security bulletins covering both the Windows operating system and Microsoft Office software. In addition, we have a high priority item with the current 0-day vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows, with no patch available so far, but a relatively low impact workaround.
The 0-day is detailed in security advisory KB2896666 as a vulnerability in the TIFF graphics format parser and informs that it is seeing limited attacks in the Middle East and South Asia. The observed attacks are through Microsoft Word documents and the vulnerability is present in Microsoft Office 2003, 2007 and 2010. Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis. TIFF is a format used frequently when scanning documents and in the publishing industry. Microsoft’s security toolkit EMET (Enhanced Mitigation Experience Toolkit) prevents the attack from executing, as it has in all of the recent 0-days in Internet Explorer as well, showing again that it is a very effective proactive security measure to implement on your Windows systems.
There are three ‘critical’ bulletins affecting IE and Windows, and five 'important' bulletins affecting Office and Windows. The focus should be on patching the critical update for Internet Explorer. Addressing browser vulnerabilities on a fast schedule has become increasingly important as more and more of our time online is spent accessing the Internet and running applications through the browser. Microsoft’s recent SIR report points out on page 116 that, in 2013, the majority of attacks have been delivered through the browser, followed by file transfer applications and only then e-mail.
All of the critical bulletins and one of the important bulletins result in a remote code execution and should be prioritized higher. The rest of the important bulletins result in the elevation of privileges or a denial of service condition.
So all in all, this is a medium sized patch tuesday with the exception of the TIFF parsing 0-day for which Microsoft has seen limited attacks.