The first thing you’ll notice about the September 2013 Patch Tuesday is that there are only 13 patches to apply, even though there were 14 bulletins in last week’s pre-announcement.
One of the patches didn’t make it.
With all the fuss about Big Brother and computer security in the news right now, I don’t doubt that there will be conspiracy theories about the missing patch.
(For example, “What if the intelligence services ordered the patch held back for a while in order to keep a backdoor open?”)
As it happens, I don’t know what didn’t get patched, or why the patch didn’t come out, so I can’t disprove anybody’s fears – but I do think you can put away the tinfoil hats.
All eight of the originally-announced Remote Code Execution holes got patched, so you’re not missing any critical updates, literally or figuratively.
And with two patches having gone haywire for Microsoft last month, you might well expect a touch more conservatism from Redmond this time around.
Here are the fixes that did come out, neatly compressed into a table:
Bulletin ID | Software component | MS threat level | SophosLabs assessment | Vuln type |
---|---|---|---|---|
MS13-067 | SharePoint | Critical | High | RCE |
MS13-068 | Outlook | Critical | High | RCE |
MS13-069 | IE (Cumulative) | Critical | High | RCE |
MS13-070 | Windows | Critical | High | RCE |
MS13-071 | Windows | Important | Low | RCE |
MS13-072 | Office | Important | Critical | RCE |
MS13-073 | Excel | Important | Medium | RCE |
MS13-074 | Access | Important | Medium | RCE |
MS13-075 | Office | Important | Medium | EoP |
MS13-076 | Kernel | Important | Medium | EoP |
MS13-077 | Service Control Manager | Important | High | EoP |
MS13-078 | FrontPage | Important | Medium | Leak |
MS13-079 | Active Directory | Important | Low | DoS |
A reminder: RCE is remote code execution; EoP is elevation of privilege; DoS is denial of service; and Leak is incorrect data disclosure.
The big-ticket items this month – if any remote code execution hole can be dismissed as low-ticket, of course – are the fixes for Internet Explorer and Outlook.
These patches may well stop your users getting infected with malware by merely browsing to a web site or reading (even as a preview) an email.
Also of concern is the patch at the very top of the list: according to Microsoft, the hole in SharePoint could allow an attacker to take control of the server simply by sending malformed content to it.
The Office, Excel and Access RCE vulnerabilities are similar, with those applications at risk if you inadvertently open a boobytrapped file.
Note that the IE, Outlook and Office holes only give an attacker the same privileges as the user who is running the vulnerable application.
But any of those holes could be combined with one of the abovementioned EoP vulnerabilites.
This means an attacker could use RCE to get access as a locally logged in user, followed by an EoP to promote himself to an administrator.
Best get patching right away, then!
Image of patch courtesy of Shutterstock.
One of the Office patches causes Outlook 2013 to lose its folder pane. Installing KB2817503 seems to fix the problem.
Installing KB2817630 would cause Outlook 2013 to have a blank folder pane. That update is no longer being offered.
It appears that a lot of the updates are not right as they keep on wanting to re-install although it tells you in update they are installed. In particular kb2760588/ kb2760411 and kb28100048.
3 updates are coming again and again despite they are installed already (KB2810048, KB 2760411, KB2760588)
Also getting reports from our users that kb2760588/ kb2760411 and kb28100048 keep wanting a re-install, even after a reboot.
I can confirm that 3 patches, for Office, want to be re-downloaded and re-installed over and over again. We have this problem with 6 PCs all running XP and various versions of Office. The seventh PC doesn't have Office so doesn't suffer the problem.
Not found a solution yet, so we're busily ignoring the "Updates are ready" icon!
Since I've installed these patches, I can access my blog without signing in???
I don't like that, as it seems to make it too easy for others to access the same.
If my PC doesn't have Office, do I need to install the Office updates? Why are they even offered to me? Have Vista 32 bit.
I have the same problem with the 3 Office patches that want to be installed over and over and over.
I know the usual advice is to patch straight away but Microsoft are not helping by releasing problematic patches (four at my last count), and next time I will be sorely tempted to wait a few days until they sort the bugs out.
Hey Paul Ducklin how about some follow up on the three patches everyone is having trouble with that continue to reinstall?
Here you are:
http://nakedsecurity.sophos.com/microsoft-endures…