Security Advisor

'Critical' Fixes for Windows, IE, Office and SharePoint Arrive in Security Update

Microsoft's September patch includes 13 items and addresses 47 flaws.

Microsoft's September Security Update arrived today with four "critical" and nine "important" bulletin items, including a cumulative fix for Internet Explorer.

As is typical with a Microsoft Patch Tuesday featuring an IE fix, experts are strongly suggesting bulletin MS13-069, which addresses 10 privately reported flaws in the Web browser, be the first item applied.

"For mass exploitation purposes, the most problematic issues have to do with Internet Explorer, with working exploits likely being developed in the near future to attack these memory corruption vulnerabilities," commented Kurt Baumgartner, principal security researcher at Kaspersky Lab North America. "These are the sort of things that can happen to anyone online, so all Windows users should address them ASAP."

Next on the "to-do" list for IT is bulletin MS13-068. This takes care of one privately reported issue in Microsoft Outlook that could allow a remote code execution (RCE) attack if an e-mail containing a specially crafted S/MIME certificate is viewed on the targeted system.

While forging S/MIME certificates is somewhat easy to pull off for an attacker, creating one that attacks this Outlook vulnerability is a bit trickier. "However, in this  [bulletin's] case, we believe this particular vulnerability will be difficult to exploit for code execution," said MSRC's Jinwook Shin in a blog post. "In fact, we're not certain that the issue is exploitable at all but out of an abundance of caution and because attack technology improves over time, we are issuing the security update today."

However, due to the amount of damage caused by this exploit, it should still be applied as soon as possible for users of Office 2007 and 2010 -- no matter how hard it is for hackers to pull off.

The third critical item of the month, bulletin MS13-067, addresses a total of 10 flaws in Microsoft's SharePoint and Office Web Apps software and is considered a cumulative fix due to the number of issues being fixed. The most secure issue could lead to an RCE attack through a harmful spear phishing technique.

While there are no known attacks currently being exploited due to the addressed vulnerabilities, Microsoft predicts it is likely that attacks could arise within the next 30 days.

Bulletin MS13-070, Microsoft's final critical item of the month, takes care of an issue in Windows XP that could grant an attacker the same user rights as a current user if a file containing a malicious OLE object was opened.

While time is running out for Windows XP to receive security updates, look for Microsoft to keep a steady flow of fixes for the OS coming until it April execution date.

Important Items
Microsoft has also  rolled out  a somewhat-high nine important bulletins, including:

  • MS13-071: Takes care of an RCE  flaw in Windows XP, Vista and Windows Server 2008 that could be exploited if a specially crafted Windows theme was deployed on a targeted system.
  • MS13-072: This bulletin addresses 13 RCE flaws in Office 2003, 2007 and 2010 and corrects the way " the XML parser used by Word resolves external entities within a specially crafted file," according to Microsoft.
  • MS13-073: Addresses three more RCE issues in Office, this time specifically in Microsoft Excel.
  • MS13-074: Microsoft's Access bulletin blocks specific malicious Access files from being validated by the software.
  • MS13-075: This Office 2010 SP1 fixes a hole that could be exploited if IE was opened from the toolbar in Microsoft Pinyin IME for Simplified Chinese.  
  • MS13-076: Seven privately reported flaws in Windows is addressed by updating how the kernel-mode driver handles objects in memory.
  • MS13-077: Concerning Windows 7 and Windows Server 2008 R2, this bulletin blocks a privately reported issue that could lead to an elevation of privilege.
  • MS13-078: Fixes a flaw in Microsoft FrontPage that could lead to an information disclosure attack if gone unpatched.
  • MS13-079: The final important item of the month fixes an Active Directory flaw that could arise if a harmful query was sent to the Lightweight Directory Access Protocol (LDAP) service.

Along with the 13 bulletins, Microsoft has also included a monthly Adobe Flash player for Internet Explorer.

Many of these bulletins may require a system restart to be fully applied. More information on September security update can be found on the Microsoft Security Bulletin Summary page.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube