Yesterday being the second Tuesday in December, another batch of updates was made available by Microsoft. This month there are eleven updates, affecting Windows, Internet Explorer, GDI+ and various server software. Five of the updates are flagged as Critical.

The official Security Bulletin Summary has all the technical details. As usual, there’s a somewhat less technical explanation of this month’s updates over at the MSRC blog. The MSRC post is worth reading, if only for the explanation of the difference between a security advisory and a security bulletin. The short version is that a bulletin is always associated with an update, whereas an advisory usually isn’t.

On December 10, Microsoft will publish eleven bulletins, with associated updates affecting Internet Explorer, Windows, Microsoft Exchange and GDI+.

The official advance notification has the technical details, while a post on the MSRC blog describes the updates in less technical language.

It’s the second Tuesday of November, which means it’s time to update all your Windows computers. This month’s announcement lists eight bulletins, affecting Windows, Office, and Internet Explorer.

A patch for the recently-reported vulnerability in Internet Explorer will also be made available later today, according to Microsoft. It will appear in the November 2013 Patch Tuesday announcement as bulletin #3 (MS13-090).

For the full technical details on this month’s updates, see the related post on the Microsoft Security Response Center blog.

Tuesday, November 12 will see a modest batch of updates from Microsoft. There will be eight bulletins in total, with five Critical updates addressing vulnerabilities in Windows and Internet Explorer, and three Important updates addressing vulnerabilities in Windows and Office.

The recently-discovered vulnerability in Office running on Vista will not get a patch on November 12, but Microsoft is working on it and will release it as soon as it’s ready.

Yesterday, Microsoft announced that they are looking into reports of a security vulnerability potentially affecting all versions of Internet Explorer. Apparently an exploit for this flaw exists and has been observed in the wild, targeting IE 8 and 9.

If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.

Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.

No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.

Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.

Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).