The last Microsoft patch day of 2013 is here and Microsoft has just pushed the new updates to Windows Update. If you check for new updates right now, your installation of Windows should pick them up and install them if automatic updates are configured.
Microsoft has released a total of 11 security bulletins this month, that patch a total of 24 different vulnerabilities.
Five of the bulletins have received the highest severity rating of critical, while the remaining six an important rating.
The information below provide you with all the details that you need to understand, download, and deploy the bulletins to protect affected systems and software.
In particular, you will receive information about the operating system, Office and server distribution of bulletins, a suggested deployment guide, links to each bulletin and non-security updates for additional information, as well as information on how to download and install those updates.
Operating System Distribution
The least affected client operating system are Windows 8, Windows 8.1 and Windows 7 this time with three critical and 1 important bulletin.
Windows XP is affected by three critical and two important bulletins, and Vista by four critical bulletins and one important one.
On the server side, Windows Server 2008 R2 and Windows Server 2012 are the least affected with two critical and two important bulletins each.
Windows Server 2003 is affected by two critical and three important bulletins, and Windows Server 2008 by three critical and two important bulletins.
A total of three bulletins address vulnerabilities in Microsoft Office software. This time, Microsoft Office 2013 is the least affected with one bulletin that has been rated important. Then there is Office 2003 with one critical bulletin, and Office 2007 and Office 2010 which are both affected by vulnerabilities in two bulletins rated as critical and important.
Microsoft Server Software
Two bulletins address vulnerabilities in Microsoft Server this month. The following list details which server products are affected this month, and how severely.
Each month, Microsoft releases a deployment guide that weights the different bulletins in terms of importance. This goes beyond the severity rating of each bulletin, as the company suggests the order of bulletin installation.
While designed for Enterprise customers, system and network administrators in particular, it can also be of use to tech savvy users and others who test bulletins first before they are deployed on live systems.
It should be clear that the deployment priority may change depending on the installed software and system used.
Microsoft has released an updated table this month that highlights the Deployment Priority, Severity and XI. In addition to highlighting the bulletins, products and priority, it also highlights the exploit index, maximum impact and disclosure.
Other security-related information
Security Advisory 2916652 has been released. It describes an update of the Certificate Trust List (CTL) for all supported versions of Windows. A third-party digital certificate that was trusted before has been removed from the list to protect Windows systems against spoofing and man-in-the-middle attacks.
Security Advisory 2905247 describes an issue in ASP.Net that could allow the elevation of privilege. The advisory suggests that administrators harden the security by making configuration changes.
Security Advisory 2871690 notifies customers that an update for Windows 8 and Windows Server 2012 is available that revokes digital signatures for specific UEFI modules.
Security Advisory 2915720 finally informs about a change to how Windows verifies Authenticode-signed binaries.
Non-security related updates
How to download and install the December 2013 security updates
All security updates are available via Windows Update. This is the recommended update tool for the majority of users. Most systems are configured to download and install the updates automatically.
If you want to speed up things, you may want to check for updates manually instead on your system, to download and install the updates right away and not when Windows discovers them.
To do so, tap on the Windows key, enter Windows Update, and select the result from the listing. This should open the Windows Update dialog that you can use to check for new updates.
Some users may not want to use automatic updates for that. This is for instance the case if the updates need to be deployed on multiple systems. While it is possible to download them individually on each system, it does not really make sense to do so from a bandwidth perspective.
Instead of having to download the same updates multiple times, you could instead download them once and deploy them afterwards on each system, even without an active Internet connection.
Another reason for not wanting to use automatic updates is if you want to test updates before they become available.
You can access this month's Security Bulletin summary on this page on the Microsoft website. Additional information about this month's updates are available at the Microsoft Security Response Center blog.
If you prefer video, here is Microsoft's Update Tuesday overview for December 2013.
If you like our content, and would like to help, please consider making a contribution: