Microsoft

It's Microsoft Patch Tuesday: September 2013

Tony Bradley gathers the information you need to make the right deploy decision when applying Microsoft's September 2013 patches in your organization.

6420006-608-224.jpg
Fall doesn't technically start for a couple weeks, but the kids are back in school, the NFL season has kicked off, and the Pumpkin Spice Latte is back at your neighborhood Starbucks. Microsoft is 'celebrating' fall with an avalanche of security bulletins for the September 2013 Patch Tuesday.

Apparently Microsoft encountered some issues between last week and today, because it had projected 14 security bulletins for today, but only 13 were released. There are four updates rated as Critical, with the other nine all ranked as Important by Microsoft. The security bulletins impact a wide range of products and services, including Windows, Microsoft Office, SharePoint, and what seems to now be the monthly update for Internet Explorer.

For SharePoint, an attacker could abuse the ViewState mechanism on two specific web pages and gain control over the server. By default, the pages require authentication, which limits the attack vector. If you have reconfigured authentication, this bulletin should be high on your list. Note that the bulletin contains work-around steps that you can configure immediately even if you cannot apply the patch right away.

This blog post is also available in the PDF format in a TechRepublic Download.

Security Patches

This month's thirteen security bulletins address vulnerabilities in Internet Explorer, Windows, Microsoft Office, and Microsoft Server software.

***

MS13-067 / KB2834052 – Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

MS13-067 addresses ten vulnerabilities in SharePoint server, and affects SharePoint 2003, 2007, 2010, and 2013, along with Office Web Apps 2010. The patch addresses multiple elevations of privilege vulnerabilities that could allow an attacker to execute code in the context of another SharePoint user. In certain situations where the default authentication mechanism has been changed, an attacker may be able to take control of the server. Safeguarding sensitive data is critical, so make sure to get this patch rolled out as soon as possible.

***

MS13-068 / KB2756473 – Vulnerability in Microsoft Outlook Could Allow Remote Code Execution

MS13-068 fixes a critical privately reported vulnerability in Outlook, which an attacker could use to execute arbitrary code in the context of the current user. It affects both Outlook 2007 and 2010. Attackers can exploit this without specific user interaction by crafting malicious S/MIME messages and sending them to target users. When the malicious message is opened, the exploit is triggered, and the vulnerable system is compromised - enabling the attacker to run code in the context of the user. The attack vector makes it urgent to apply this patch as soon as possible

***

MS13-069 / KB2870699 – Cumulative Security Update for Internet Explorer

MS13-069 is the latest cumulative security update for the Internet Explorer Web browser. The update applies to all supported versions of Internet Explorer, but none of the underlying flaws affects all versions of the browser. This patch should be deployed as quickly as possible, though, because any of these vulnerabilities can be used in drive-by exploits allowing the attacker to execute code in the context of the current user.

**

MS13-070 / KB2876217 – Vulnerability in OLE Could Allow Remote Code Execution

This update fixes a privately reported bug in the Windows operating system that could allow an attacker to execute remote code. If a user opens a file containing a specially crafted malicious OLE object, the system will be compromised, and the attacker will be able to execute code with the same rights as the user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

*

MS13-071 / KB2864063 – Vulnerability in Windows Theme File Could Allow Remote Code Execution

Some users love to download and apply cool themes to customize the look and feel of Windows. The vulnerability addressed by this patch can be exploited through a specially crafted malicious Windows theme. One mitigating factor is that the user must download and apply the malicious theme in order for the attack to work, so educating users against using suspicious or shady themes is advised as well.

*

MS13-072 / KB2845537 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This update resolves a smorgasbord of privately reported vulnerabilities in Microsoft Office - 13 in all. The more severe vulnerabilities can be exploited through a specially crafted file being opened in an affected version of Microsoft Office. The attacker may be able to execute remote code in the context of the user. As with other similar issues, one way to mitigate the threat is to limit user privileges and not allowing users to log in with administrative privileges.

*

MS13-073 / KB2858300 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

This update is similar in scope and impact to MS13-072, but more specific to Microsoft Excel. It resolves three privately reported vulnerabilities which could allow remote code execution in the context of the user if successfully exploited. Again, limiting user privileges on the system can minimize the threat or impact of these flaws.

*

MS13-074 / KB2848637 – Vulnerabilities in Microsoft Access Could Allow Remote Code Execution

This security update resolves three privately reported vulnerabilities in Microsoft Office - specifically Microsoft Access. As with MS13-072 and MS13-073, a specially crafted malicious Microsoft Access file could be used to exploit the flaws. A successful attack could allow the attacker to execute code with the same rights and privileges as the currently logged in user.

*

MS13-075 / KB2878687 – Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege

This update only impacts Microsoft Office IME - a Chinese version of the productivity suite. If an attacker launches Internet Explorer from the toolbar in Microsoft Pinyin IME for Simplified Chinese, they may be able to run arbitrary code in kernel mode. A successful exploit could enable an attacker to install malicious software, and add or remove user accounts with administrative privileges. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.

*

MS13-076 / KB2876315 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege

This update resolves seven privately reported vulnerabilities in Microsoft Windows. The potential threat is minimal because an attacker must have valid logon credentials, and be logged on locally to exploit these vulnerabilities. A successful exploit could allow the attacker to elevate their privileges on the compromised system.

*

MS13-077 / KB2872339 – Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege

This update fixes one privately reported flaw in Microsoft Windows. The threat is minimal because the attacker must either have valid logon credentials and be logged on locally to the vulnerable system, or trick a user into running a specially crafted application that triggers the exploit. If an attack is successful, the attacker could gain elevated privileges on the compromised system.

*

MS13-078 / KB2825621 – Vulnerability in FrontPage Could Allow Information Disclosure

Companies using Microsoft FrontPage could be at risk of information disclosure as a result of this privately reported vulnerability. The exploit cannot be triggered automatically, but if a user is tricked into opening a specially crafted FrontPage document, the attacker may be able to access restricted or sensitive information.

*

MS13-079 / KB2853587 – Vulnerability in Active Directory Could Allow Denial of Service

An attacker can create a denial-of-service condition in Active Directory by exploiting this vulnerability. A specially crafted Lightweight Directory Access Protocol query could cripple Active Directory.

About

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...

13 comments
Czarcasmic
Czarcasmic

Update KB2872339 gives me the " the application is unable to start correctly 0xc0000005 " error when trying to open Firefox or Chrome much like error KB2859537. Removing it fixed the issue.

dentalcrafters
dentalcrafters

A resolution for KB2670838 has been found - you need to ensure that you have up to date video drivers on your system. 

dentalcrafters
dentalcrafters

Microsoft has confirmed in a post on the TechNet blogs that the KB2817630 update released on Patch Tuesday is indeed causing problems to a number of users due to what seems to be a compatibility issue with Outlook 2013. (this however is not causing our issue as we do not have any workstations with Outlook 2013, we have 2007 and 2010 and some - not all, are stuck in the installation loop)

While the company said that it’s still working on a fix right now, it also advised users to uninstall and hide the patch from the Windows Update screen.

“Due to a version incompatibility between outlook.exe and mso.dll, a mismatched reference to a data structure causes the ‘Minimize’ button in the navigation pane to render incorrectly, typically extremely large to the point that the navigation pane is ‘invisible’ to the user. The issue only manifests when incompatible versions of outlook.exe and mso.dll exist on the system,” the company said.

“If both versions are earlier (lower) than 4535.1000, or both versions are later (higher) than 4535.1000, the problem does not manifest. If one file is updated but the other is not, the problem is evident. The incompatible state is created by installing either the September Public Update OR the August Cumulative update, but not both. Users of MSI-based products that have automatic updates enabled are those that are most likely to have encountered the issue.”

Microsoft says that both Office 2013 Standard and Office 2013 Professional Plus are affected by this buggy update, while all the other versions are on the safe side. Office 2013  Home & Student and Office 365, for example, should work flawlessly after the latest update.

Perhaps Microsoft would like to tell that to my XP workstations with Office 2007 and my Win 7 with Office 2010 installed this >:[

 In addition, the company has promised to re-release the botched update sometime in the near future, with the correct patch to be delivered via the same Windows Update feature that’s available in the OS.

Until then, make sure you uninstall and hide the patch from the Update screen, just to make sure it doesn’t break down your Office 2013 installation.

davidjbell
davidjbell

I've got the same problem as ng_vasantha i.e. the three MS Office updates say they install successfully on my Win 7 64 bit PC but then appear again waiting for install a short while later. This happens repeatedly even after a re-boot. Let's hope MS have a fix in the wings

ng_vasantha
ng_vasantha

The following updates are installing again and again even though the status mentions it as updated successfully.

Security Update for Microsoft Office 2007 suites (KB2760588)

Security Update for Microsoft Office Excel 2007 (KB2760583)

Security Update for Microsoft Office 2007 suites (KB2760411)


 The OS is Windows 7 32 bit

Gisabun
Gisabun

No non-security updates listed? There was also a whack of Office 2010 & 2013 non-security updates.

Craig_B
Craig_B

I have Windows 8 and Office 2013 and it seems one or both of these updates kb2810009 and KB2817630 may cause an issue in Outlook 2013 where the Folder Pane is blank.  More people are reporting KB2817630 as the culprit.  Microsoft has issued a hotfix that seems to fix this, KB2817503.

bward11
bward11

This patch took over 1 hour 15 minutes to install. And have been having issues with IE since the installation.

Windows 7 64 Office 2013

PFCNPFCN
PFCNPFCN

I have often reported privately to Microsoft in Stockholm that routine updates have destroyed indexing of Outlook files which then prevents searches and requires re-indexing that takes hours and freezes many responses to 'Clicks' within Outlook.

Source of many conflicts seems to have been Skype Click-to-Dial 

Windows 7   Microsoft Office 10

Brian  Phone +46 8 559 23 133

bigntallmike
bigntallmike

Oh good, even more remote code execution errors that could have been affecting people right up until today.

Mark W. Kaelin
Mark W. Kaelin moderator

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.