At the top of Microsoft’s patch list is a TIFF image flaw that was not fully patched in the November Patch Tuesday update, even though it was known and being exploited. The MS13-096 advisory in the December update explains that “a remote code execution vulnerability exists in the way that affected Windows components and other affected software handle specially crafted TIFF files.”
Microsoft warns that the TIFF flaw, if exploited, could have potentially enabled an attacker to take control of a user’s PC.
The vulnerability could allow remote code execution if a user views TIFF files in shared content. An attacker who successfully exploited this vulnerability could take complete control of an affected system.