This month is a bit quieter than last month’s barrage of patches as there are only seven bulletins announced, of which three are Critical and four are Important.

The Microsoft Exchange patch (likely MS14-075) is on the list this month again and rated as Important. It is resolving an elevation of privilege vulnerability. Admins who have been watching for when that patch may drop can rest assured that it will not be before Tuesday. As you may recall, this patch was held out of last month’s Path Tuesday updates along with another out-of-band patch that was released later in November.  With all of the changes at Microsoft recently, this practice of holding a patch could become a pattern. It is likely that with less important patches, these will be released on a subsequent Patch Tuesday. However, for more important patches that aren't ready for Patch Tuesday, they will likely be released later on in the month as they become ready for release.

There is a Critical Internet Explorer update this month as well. We have seen a steady trend of a Critical Cumulative Security Update for IE each month for some time. It may just become a regular fixture as all of the major browsers are getting a lot of attention in the white hat hacking community. We can safely say that this is going to become a Critical monthly occurrence.

There are two additional Microsoft Windows patches, one of which is rated as Critical, the other Important. The Critical update could allow for remote code execution, the Important update is an information disclosure vulnerability.

There are three updates for Microsoft Office including one Critical. All three Office updates resolve vulnerabilities, which could allow remote code execution.

Adobe released an update for Flash Player late in November, so maybe we will see a break in the nine-month streak of Flash Player updates on Patch Tuesday.  We will have to wait and see on that.

Google Chrome and Mozilla FireFox both released a couple of updates in the past few weeks, so we anticipate not seeing any additional Patch Tuesday updates from the other major browsers — unless we see a Flash update. In that case we could also see a Chrome update to support the plug-in.

Microsoft Security Bulletins:

  • 3 bulletins are rated as Critical.
  • 4 bulletins are rated as Important

Vulnerability Impact:

  • 5 bulletins address vulnerabilities which could allow Remote Code Execution.
  • 1 bulletins address vulnerabilities which could allow Elevation of Privileges.
  • 1 bulletin addresses a vulnerability which could lead to Information Disclosure.

Affected Products:

  • All supported Windows Operating Systems (Including the Technical Previews!)
  • All supported Internet Explorer versions.
  • Microsoft Office 2007, 2010
  • Microsoft Exchange 2007, 2010, and 2013

Join us as we review the Microsoft and third-party releases for December Patch Tuesday in our next monthly Patch Tuesday webcast, which is scheduled for Wednesday, December 10th at 10 a.m. CDT.  We will also discuss other product and patch releases since the November Patch Tuesday.

You can register for the Patch Tuesday webinar here.

For more information on Patch Management go here.