Tony Bradley gathers the information you need to make the right deploy decision when applying Microsoft's September 2013 patches in your organization.
Apparently Microsoft encountered some issues between last week and today, because it had projected 14 security bulletins for today, but only 13 were released. There are four updates rated as Critical, with the other nine all ranked as Important by Microsoft. The security bulletins impact a wide range of products and services, including Windows, Microsoft Office, SharePoint, and what seems to now be the monthly update for Internet Explorer.
For SharePoint, an attacker could abuse the ViewState mechanism on two specific web pages and gain control over the server. By default, the pages require authentication, which limits the attack vector. If you have reconfigured authentication, this bulletin should be high on your list. Note that the bulletin contains work-around steps that you can configure immediately even if you cannot apply the patch right away.
This blog post is also available in the PDF format in a TechRepublic Download.
This month's thirteen security bulletins address vulnerabilities in Internet Explorer, Windows, Microsoft Office, and Microsoft Server software.
MS13-067 / KB2834052 – Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution
MS13-067 addresses ten vulnerabilities in SharePoint server, and affects SharePoint 2003, 2007, 2010, and 2013, along with Office Web Apps 2010. The patch addresses multiple elevations of privilege vulnerabilities that could allow an attacker to execute code in the context of another SharePoint user. In certain situations where the default authentication mechanism has been changed, an attacker may be able to take control of the server. Safeguarding sensitive data is critical, so make sure to get this patch rolled out as soon as possible.
MS13-068 / KB2756473 – Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
MS13-068 fixes a critical privately reported vulnerability in Outlook, which an attacker could use to execute arbitrary code in the context of the current user. It affects both Outlook 2007 and 2010. Attackers can exploit this without specific user interaction by crafting malicious S/MIME messages and sending them to target users. When the malicious message is opened, the exploit is triggered, and the vulnerable system is compromised - enabling the attacker to run code in the context of the user. The attack vector makes it urgent to apply this patch as soon as possible
MS13-069 / KB2870699 – Cumulative Security Update for Internet Explorer
MS13-069 is the latest cumulative security update for the Internet Explorer Web browser. The update applies to all supported versions of Internet Explorer, but none of the underlying flaws affects all versions of the browser. This patch should be deployed as quickly as possible, though, because any of these vulnerabilities can be used in drive-by exploits allowing the attacker to execute code in the context of the current user.
MS13-070 / KB2876217 – Vulnerability in OLE Could Allow Remote Code Execution
This update fixes a privately reported bug in the Windows operating system that could allow an attacker to execute remote code. If a user opens a file containing a specially crafted malicious OLE object, the system will be compromised, and the attacker will be able to execute code with the same rights as the user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS13-071 / KB2864063 – Vulnerability in Windows Theme File Could Allow Remote Code Execution
Some users love to download and apply cool themes to customize the look and feel of Windows. The vulnerability addressed by this patch can be exploited through a specially crafted malicious Windows theme. One mitigating factor is that the user must download and apply the malicious theme in order for the attack to work, so educating users against using suspicious or shady themes is advised as well.
MS13-072 / KB2845537 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
This update resolves a smorgasbord of privately reported vulnerabilities in Microsoft Office - 13 in all. The more severe vulnerabilities can be exploited through a specially crafted file being opened in an affected version of Microsoft Office. The attacker may be able to execute remote code in the context of the user. As with other similar issues, one way to mitigate the threat is to limit user privileges and not allowing users to log in with administrative privileges.
MS13-073 / KB2858300 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
This update is similar in scope and impact to MS13-072, but more specific to Microsoft Excel. It resolves three privately reported vulnerabilities which could allow remote code execution in the context of the user if successfully exploited. Again, limiting user privileges on the system can minimize the threat or impact of these flaws.
MS13-074 / KB2848637 – Vulnerabilities in Microsoft Access Could Allow Remote Code Execution
This security update resolves three privately reported vulnerabilities in Microsoft Office - specifically Microsoft Access. As with MS13-072 and MS13-073, a specially crafted malicious Microsoft Access file could be used to exploit the flaws. A successful attack could allow the attacker to execute code with the same rights and privileges as the currently logged in user.
MS13-075 / KB2878687 – Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege
This update only impacts Microsoft Office IME - a Chinese version of the productivity suite. If an attacker launches Internet Explorer from the toolbar in Microsoft Pinyin IME for Simplified Chinese, they may be able to run arbitrary code in kernel mode. A successful exploit could enable an attacker to install malicious software, and add or remove user accounts with administrative privileges. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.
MS13-076 / KB2876315 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
This update resolves seven privately reported vulnerabilities in Microsoft Windows. The potential threat is minimal because an attacker must have valid logon credentials, and be logged on locally to exploit these vulnerabilities. A successful exploit could allow the attacker to elevate their privileges on the compromised system.
MS13-077 / KB2872339 – Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege
This update fixes one privately reported flaw in Microsoft Windows. The threat is minimal because the attacker must either have valid logon credentials and be logged on locally to the vulnerable system, or trick a user into running a specially crafted application that triggers the exploit. If an attack is successful, the attacker could gain elevated privileges on the compromised system.
MS13-078 / KB2825621 – Vulnerability in FrontPage Could Allow Information Disclosure
Companies using Microsoft FrontPage could be at risk of information disclosure as a result of this privately reported vulnerability. The exploit cannot be triggered automatically, but if a user is tricked into opening a specially crafted FrontPage document, the attacker may be able to access restricted or sensitive information.
MS13-079 / KB2853587 – Vulnerability in Active Directory Could Allow Denial of ServiceAn attacker can create a denial-of-service condition in Active Directory by exploiting this vulnerability. A specially crafted Lightweight Directory Access Protocol query could cripple Active Directory.