September’s Patch Tuesday is live! The 14 bulletins predicted have been cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after having been included in the advance notice usually indicates that late testing revealed an undesired interaction with another product or component.
Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwithstanding.
There are four advisories labeled as critical. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update, which is always important for those who have not yet found a better browser. All versions of IE require this update.
Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of is CVE-2013-1330, which allows remote code execution by malicious content sent to the server without user interaction, genuine real-time remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes.
Of the other two critical advisories, both require user interaction to trigger the vulnerability; however, MS13-068 affecting Microsoft Outlook is particularly toxic because it can be triggered when users view malicious content in the Outlook preview pane. Apparently, we have gone back in time and the risks from 2004 are real again. This is pretty significant and administrators will have to move fast to patch this before exploits appear.
MS13-070 is concerning because it only applies to XP and Server 2003 and those vulnerabilities tend to be less “contained” than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014. April will be here before we know it, and who knows what patches will never make it out the door, let alone be found after that date in one of the world’s most widely deployed operating systems.
If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint and all it’s glorious services, then this month is going to be very busy for you. There are lots of vulnerabilities to patch, many of which are high risk. Office vulnerabilities are typically mitigated by the fact that they require a user to interact with something malicious, either through an attachment or a link, in order to be exploited. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defense in depth will come into play.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.