In the coming week, Friday falls on the thirteenth day of the month.
That used to be a bad omen in computer security circles, because of the association with computer viruses that deliberately chose that date to unleash their warheads.
These days, however, it doesn’t tell you much more than that Tuesday is the Tenth, making it the second Tuesday of the month, and thus a Patch Tuesday.
Get ready: September’s Patch Tuesday has 14 bulletins, eight of which are listed as fixing remote code execution vulnerabilities.
The biggie is Bulletin Three, a “spare no versions” Internet Explorer (IE) update.
From IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT, this one hits the Patch Trifecta: it is considered critical, permits remote code execution, and requires a reboot.
At the other end of the risk scale, Server Core installations benefit once again from their reduced attack surface area, with no critical or remotable vulnerabilities reported.
(Windows 2008 R2 Service Pack 1 Server Core will, however, require a reboot to fix an Elevation of Privilege bug listed as important.)
There are four sorts of security flaw patched this month, so let’s take this opportunity to revise the implications of each vulnerability type.
Remote code execution
An RCE is the most serious sort of vulnerability.
It means that content supplied from outside your network, such as a web page or email, can trick your computer into running executable code that would usually require explicit download and installation.
This bypasses any security warnings or “are you sure” dialogs, and can lead to what’s called a drive-by download, where just visting a webpage or viewing an image could lead to infection with malware.
Elevation of privilege
EoP vulnerabilities allow a user or process to perform activities usually reserved for more privileged accounts.
Often, an EoP will allow regular users to convert themselves temporarily into an administrator, which pretty much means that all security bets are off.
With administrator privileges, untrusted users may be able to change file access permissions, add backdoor accounts, dump confidential databases, bypass many of the security protections on the network, and even alter logfiles to hide their tracks.
If an EoP vulnerability is combined with an RCE, an attacker may be able to take over your account while you’re browsing, and then make the leap to Administrator once they’re in.
An information disclosure vulnerability, or leak, happens when software inadvertently lets you retrieve data that ought to be protected.
If passwords or similar data are leaked, this could facilitate future attacks; if confidential data is recovered, this could lead to corporate emabrrassment or even data breach penalties.
Denial of service
A DoS is just what it sounds like: by needlessly consuming computing resources, or by deliberately provoking a crash of vulnerable software, you compromise the availability of a system.
DoSes are often considered to be at the bottom of the severity scale, since they don’t usually allow unauthorised access or lead directly to the exfiltration of confidential data.
Nevertheless, DoSes can be very costly, because they may hamper your ability to do business online, cost you revenue, or mask other parts of an attack.