The first thing you’ll notice about the September 2013 Patch Tuesday is that there are only 13 patches to apply, even though there were 14 bulletins in last week’s pre-announcement.
One of the patches didn’t make it.
With all the fuss about Big Brother and computer security in the news right now, I don’t doubt that there will be conspiracy theories about the missing patch.
(For example, “What if the intelligence services ordered the patch held back for a while in order to keep a backdoor open?”)
As it happens, I don’t know what didn’t get patched, or why the patch didn’t come out, so I can’t disprove anybody’s fears – but I do think you can put away the tinfoil hats.
All eight of the originally-announced Remote Code Execution holes got patched, so you’re not missing any critical updates, literally or figuratively.
And with two patches having gone haywire for Microsoft last month, you might well expect a touch more conservatism from Redmond this time around.
Here are the fixes that did come out, neatly compressed into a table:
|Bulletin ID||Software component||MS threat level||SophosLabs assessment||Vuln type|
|MS13-077||Service Control Manager||Important||High||EoP|
A reminder: RCE is remote code execution; EoP is elevation of privilege; DoS is denial of service; and Leak is incorrect data disclosure.
The big-ticket items this month – if any remote code execution hole can be dismissed as low-ticket, of course – are the fixes for Internet Explorer and Outlook.
These patches may well stop your users getting infected with malware by merely browsing to a web site or reading (even as a preview) an email.
Also of concern is the patch at the very top of the list: according to Microsoft, the hole in SharePoint could allow an attacker to take control of the server simply by sending malformed content to it.
The Office, Excel and Access RCE vulnerabilities are similar, with those applications at risk if you inadvertently open a boobytrapped file.
Note that the IE, Outlook and Office holes only give an attacker the same privileges as the user who is running the vulnerable application.
But any of those holes could be combined with one of the abovementioned EoP vulnerabilites.
This means an attacker could use RCE to get access as a locally logged in user, followed by an EoP to promote himself to an administrator.
Best get patching right away, then!