Get ready: Microsoft Patch Tuesday looms large with 14 patches and 8 remote code execution holes

Filed Under: Featured, Microsoft, Security threats, Vulnerability

In the coming week, Friday falls on the thirteenth day of the month.

That used to be a bad omen in computer security circles, because of the association with computer viruses that deliberately chose that date to unleash their warheads.

These days, however, it doesn't tell you much more than that Tuesday is the Tenth, making it the second Tuesday of the month, and thus a Patch Tuesday.

Get ready: September's Patch Tuesday has 14 bulletins, eight of which are listed as fixing remote code execution vulnerabilities.

The biggie is Bulletin Three, a "spare no versions" Internet Explorer (IE) update.

From IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT, this one hits the Patch Trifecta: it is considered critical, permits remote code execution, and requires a reboot.

At the other end of the risk scale, Server Core installations benefit once again from their reduced attack surface area, with no critical or remotable vulnerabilities reported.

(Windows 2008 R2 Service Pack 1 Server Core will, however, require a reboot to fix an Elevation of Privilege bug listed as important.)

There are four sorts of security flaw patched this month, so let's take this opportunity to revise the implications of each vulnerability type.

Remote code execution

An RCE is the most serious sort of vulnerability.

It means that content supplied from outside your network, such as a web page or email, can trick your computer into running executable code that would usually require explicit download and installation.

This bypasses any security warnings or "are you sure" dialogs, and can lead to what's called a drive-by download, where just visting a webpage or viewing an image could lead to infection with malware.

Elevation of privilege

EoP vulnerabilities allow a user or process to perform activities usually reserved for more privileged accounts.

Often, an EoP will allow regular users to convert themselves temporarily into an administrator, which pretty much means that all security bets are off.

With administrator privileges, untrusted users may be able to change file access permissions, add backdoor accounts, dump confidential databases, bypass many of the security protections on the network, and even alter logfiles to hide their tracks.

If an EoP vulnerability is combined with an RCE, an attacker may be able to take over your account while you're browsing, and then make the leap to Administrator once they're in.

Information disclosure

An information disclosure vulnerability, or leak, happens when software inadvertently lets you retrieve data that ought to be protected.

If passwords or similar data are leaked, this could facilitate future attacks; if confidential data is recovered, this could lead to corporate emabrrassment or even data breach penalties.

Denial of service

A DoS is just what it sounds like: by needlessly consuming computing resources, or by deliberately provoking a crash of vulnerable software, you compromise the availability of a system.

DoSes are often considered to be at the bottom of the severity scale, since they don't usually allow unauthorised access or lead directly to the exfiltration of confidential data.

Nevertheless, DoSes can be very costly, because they may hamper your ability to do business online, cost you revenue, or mask other parts of an attack.

, , , , ,

You might like

4 Responses to Get ready: Microsoft Patch Tuesday looms large with 14 patches and 8 remote code execution holes

  1. Bob H · 388 days ago

    Deffo Linux as next OS.

  2. 2072 · 387 days ago

    Is Microsoft closing a few backdoors left open for the NSA? (after last week Guardian/Snowden revelations that, surprisingly, were not covered in this blog). 14 patches is quite rare...

  3. On Windows 7 Home Premium my history shows I have successfully installed (twice):

    Security Update for Microsoft Office 2007 suites (KB2760588) Successful

    Security Update for Microsoft Office Excel 2007 (KB2760583) Successful

    Security Update for Microsoft Office 2007 suites (KB2760411) Successful

    Security Update for Microsoft Office Excel Viewer 2007 (KB2760590) Successful

    Security Update for Microsoft Office 2007 suites (K82760588) Successful

    Security Update for Microsoft Office Excel 2007 (KB2760583) Successful

    Security Update for Microsoft Office 2007 suites (K82760411) Successful

    Security Update for Microsoft Office Excel Viewer 2007 (KB2760590) Successful

    but Windows update still says they need to be installed!

    Any ideas?

    • Steve · 383 days ago

      This has been reported by many people. Microsoft is aware of the problem and is working on it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog