September Patch Tuesday is out - one update lost en route, 13 patches left, 8 RCE, 4 critical

Filed Under: Featured, Microsoft, Vulnerability

The first thing you'll notice about the September 2013 Patch Tuesday is that there are only 13 patches to apply, even though there were 14 bulletins in last week's pre-announcement.

One of the patches didn't make it.

With all the fuss about Big Brother and computer security in the news right now, I don't doubt that there will be conspiracy theories about the missing patch.

(For example, "What if the intelligence services ordered the patch held back for a while in order to keep a backdoor open?")

As it happens, I don't know what didn't get patched, or why the patch didn't come out, so I can't disprove anybody's fears - but I do think you can put away the tinfoil hats.

All eight of the originally-announced Remote Code Execution holes got patched, so you're not missing any critical updates, literally or figuratively.

And with two patches having gone haywire for Microsoft last month, you might well expect a touch more conservatism from Redmond this time around.

Here are the fixes that did come out, neatly compressed into a table:

Bulletin ID Software component MS threat level SophosLabs assessment Vuln type
MS13-067 SharePoint Critical High RCE
MS13-068 Outlook Critical High RCE
MS13-069 IE (Cumulative) Critical High RCE
MS13-070 Windows Critical High RCE
MS13-071 Windows Important Low RCE
MS13-072 Office Important Critical RCE
MS13-073 Excel Important Medium RCE
MS13-074 Access Important Medium RCE
MS13-075 Office Important Medium EoP
MS13-076 Kernel Important Medium EoP
MS13-077 Service Control Manager Important High EoP
MS13-078 FrontPage Important Medium Leak
MS13-079 Active Directory Important Low DoS

A reminder: RCE is remote code execution; EoP is elevation of privilege; DoS is denial of service; and Leak is incorrect data disclosure.

The big-ticket items this month - if any remote code execution hole can be dismissed as low-ticket, of course - are the fixes for Internet Explorer and Outlook.

These patches may well stop your users getting infected with malware by merely browsing to a web site or reading (even as a preview) an email.

Also of concern is the patch at the very top of the list: according to Microsoft, the hole in SharePoint could allow an attacker to take control of the server simply by sending malformed content to it.

The Office, Excel and Access RCE vulnerabilities are similar, with those applications at risk if you inadvertently open a boobytrapped file.

Note that the IE, Outlook and Office holes only give an attacker the same privileges as the user who is running the vulnerable application.

But any of those holes could be combined with one of the abovementioned EoP vulnerabilites.

This means an attacker could use RCE to get access as a locally logged in user, followed by an EoP to promote himself to an administrator.

Best get patching right away, then!

Image of patch courtesy of Shutterstock.

, , , , ,

You might like

11 Responses to September Patch Tuesday is out - one update lost en route, 13 patches left, 8 RCE, 4 critical

  1. Richard · 758 days ago

    One of the Office patches causes Outlook 2013 to lose its folder pane. Installing KB2817503 seems to fix the problem.

  2. Bill · 758 days ago

    Installing KB2817630 would cause Outlook 2013 to have a blank folder pane. That update is no longer being offered.

  3. Kevin · 758 days ago

    It appears that a lot of the updates are not right as they keep on wanting to re-install although it tells you in update they are installed. In particular kb2760588/ kb2760411 and kb28100048.

    • Herbert · 758 days ago

      3 updates are coming again and again despite they are installed already (KB2810048, KB 2760411, KB2760588)

  4. Tony · 758 days ago

    Also getting reports from our users that kb2760588/ kb2760411 and kb28100048 keep wanting a re-install, even after a reboot.

  5. Guest · 758 days ago

    I can confirm that 3 patches, for Office, want to be re-downloaded and re-installed over and over again. We have this problem with 6 PCs all running XP and various versions of Office. The seventh PC doesn't have Office so doesn't suffer the problem.
    Not found a solution yet, so we're busily ignoring the "Updates are ready" icon!

  6. Cartman · 757 days ago

    Since I've installed these patches, I can access my blog without signing in???

    I don't like that, as it seems to make it too easy for others to access the same.

  7. GSH · 757 days ago

    If my PC doesn't have Office, do I need to install the Office updates? Why are they even offered to me? Have Vista 32 bit.

  8. David · 757 days ago

    I have the same problem with the 3 Office patches that want to be installed over and over and over.

    I know the usual advice is to patch straight away but Microsoft are not helping by releasing problematic patches (four at my last count), and next time I will be sorely tempted to wait a few days until they sort the bugs out.

  9. Fred · 756 days ago

    Hey Paul Ducklin how about some follow up on the three patches everyone is having trouble with that continue to reinstall?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog