September Patch Tuesday is out – one update lost en route, 13 patches left, 8 RCE, 4 critical

The first thing you’ll notice about the September 2013 Patch Tuesday is that there are only 13 patches to apply, even though there were 14 bulletins in last week’s pre-announcement.

One of the patches didn’t make it.

With all the fuss about Big Brother and computer security in the news right now, I don’t doubt that there will be conspiracy theories about the missing patch.

(For example, “What if the intelligence services ordered the patch held back for a while in order to keep a backdoor open?”)

As it happens, I don’t know what didn’t get patched, or why the patch didn’t come out, so I can’t disprove anybody’s fears – but I do think you can put away the tinfoil hats.

All eight of the originally-announced Remote Code Execution holes got patched, so you’re not missing any critical updates, literally or figuratively.

And with two patches having gone haywire for Microsoft last month, you might well expect a touch more conservatism from Redmond this time around.

Here are the fixes that did come out, neatly compressed into a table:

Bulletin ID Software component MS threat level SophosLabs assessment Vuln type
MS13-067 SharePoint Critical High RCE
MS13-068 Outlook Critical High RCE
MS13-069 IE (Cumulative) Critical High RCE
MS13-070 Windows Critical High RCE
MS13-071 Windows Important Low RCE
MS13-072 Office Important Critical RCE
MS13-073 Excel Important Medium RCE
MS13-074 Access Important Medium RCE
MS13-075 Office Important Medium EoP
MS13-076 Kernel Important Medium EoP
MS13-077 Service Control Manager Important High EoP
MS13-078 FrontPage Important Medium Leak
MS13-079 Active Directory Important Low DoS

A reminder: RCE is remote code execution; EoP is elevation of privilege; DoS is denial of service; and Leak is incorrect data disclosure.

The big-ticket items this month – if any remote code execution hole can be dismissed as low-ticket, of course – are the fixes for Internet Explorer and Outlook.

These patches may well stop your users getting infected with malware by merely browsing to a web site or reading (even as a preview) an email.

Also of concern is the patch at the very top of the list: according to Microsoft, the hole in SharePoint could allow an attacker to take control of the server simply by sending malformed content to it.

The Office, Excel and Access RCE vulnerabilities are similar, with those applications at risk if you inadvertently open a boobytrapped file.

Note that the IE, Outlook and Office holes only give an attacker the same privileges as the user who is running the vulnerable application.

But any of those holes could be combined with one of the abovementioned EoP vulnerabilites.

This means an attacker could use RCE to get access as a locally logged in user, followed by an EoP to promote himself to an administrator.

Best get patching right away, then!

Image of patch courtesy of Shutterstock.