September’s edition of Microsoft’s patch Tuesday advance notification has emerged in all its glory. A hefty 14 bulletins are in the offing, split equally between the MS Office family and Windows OS patches, with a sprinkling of Internet Explorer (IE) and .NET thrown in for flavor.
There are five advisories labeled as critical, Microsoft’s highest rating. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update, which is always important for those who have not yet switched to a better browser. All versions of IE require this update.
Of the other four critical bulletins, aside from the IE one, bulletins four and five jump out as particularly concerning, especially four, which applies only to XP and 2003. Interestingly, bulletin five applies to Vista and 2008, but not Windows 7 or later. Either of these could be a wormable issue, though likely not in a default configuration.
If you are running a Microsoft heavy shop and have significantly invested in the back office technology of Sharepoint and all its glorious services, then this month is going to be very busy for you. There are lots of patches to deploy, many of which are high risk. Office vulnerabilities are typically mitigated by the fact that they require a user to interact with something malicious, either through an attachment or a link, in order to be exploited. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.