Microsoft has announced that an outstanding zero-day vulnerability missed off last month's Patch Tuesday update is to be resolved next week, while missing another actively-exploited hole in its soon-to-be-obsolete yet still incredibly popular Windows XP OS.
Microsoft's December Patch Tuesday bundle brings the long-awaited fix for a critical zero-day vulnerability in Windows, Office and Lync, but fails to patch a similar hole in Windows XP.
Confirmed by the company back in November, when it released a Fix-It work-around for the flaw
, the vulnerability in the Microsoft Graphics Component which handles tagged image file format (TIFF) loading and saving - a standard component of Windows, Office and Lync - allowed for the execution of arbitrary code under the context of the logged-in user, making for a serious security flaw.
Despite admitting that the zero-day vulnerability was under active attack, a fix was not forthcoming in November's Patch Tuesday update bundle. That's something the company is thankfully resolving this month, promising that a patch for the flaw - rated Critical on the company's own ranking system - will be included in the regular releases made on the second Tuesday of each month.
Sadly, a recently-discovered vulnerability in Microsoft's Windows XP Telephony API, which again allows for arbitrary code execution and is under active exploitation in the wild, is not so lucky. While only affecting the outdated Windows XP operating system, that's still a substantial target for attackers: according to the most recent figures from NetMarketShare
, Windows XP accounts for 31.22 per cent of the desktop and laptop operating system market. That's just behind Windows 7 with 46.64 per cent, and significantly ahead of Windows 8 at a devilish 6.66% or Windows 8.1 with just 2.64 per cent.
While Microsoft is likely to patch the Windows XP hole some time early next year, it could be one of the last times such a vulnerability is addressed in the operating system. Official support for the platform expires in April 2014
after which end-users will no longer receive security updates - although larger corporations and government customers will sill be able to receive emergency patches for a short time following that deadline.
December's Patch Tuesday update bundle also brings fixes for three more Critical-rated security vulnerabilities in Windows, one in Internet Explorer, one in the Exchange communications server package, and a further six updates ranked as Important in Windows, Office and the Microsoft Developer Tools which can result in privilege escalation - allowing any one of the Critical vulnerabilities to be used to execute code under administrative privileges, considerably worsening the impact of the flaws - information disclosure and security feature bypassing.
All updates, along with an upgraded version of the Windows Malicious Software Removal Tool, will hit Windows Update on Tuesday the 10th of December.