Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today, we’re providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office.
While this release won’t include an update for the issue first described in Security Advisory 2896666, we’d like to tell you a bit more about it. We’re working to develop a security update and we’ll release it when ready. In the meantime, the advisory includes a Fix it which prevents the attacks from succeeding and we recommend customers apply it to help protect their systems. We also want to provide clarification on the products that the advisory notes are affected. We’ve seen some confusion due to the shared nature of the GDI+ component, which is where the issue resides. There are three ways you can have the GDI+ component installed on your system: Office, Windows, and Lync.
For Lync clients:
Again, we’re only aware of targeted attacks against Office 2007. In those attacks, Windows XP was the operating system seen in use.
As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, November 12, 2013, at approximately 10:00 a.m. PST. Revisit this blog at that time for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of this month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.
Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse.
Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing