This is definitely a September to remember – last year at this time Microsoft released only two bulletins and both were only rated Important. Contrast that to today – Microsoft has released 13 patches covering 47 CVEs. One additional important-level bulletin included in the advance notification that addressed a .Net issue was pulled for quality reasons.
According to Paul Henry, security and forensics analyst at Lumension, we’re seeing big numbers this month but there is perhaps some good news: only four patches are considered critical, two were publically known yet Microsoft has not seen active attacks on any of the September CVEs to-date and none of them impact the current code base.
IE, Sharepoint and Outlook are hardest hit this month, and vulnerabilities in XP and Windows 2003 were also patched…something we hopefully will see more of as the XP end-of-life date of April 8, 2014 nears. Win 2003 follows that 15 months later with its own EOL date of July 14, 2015. For anyone using XP, a migration plan must be put in place if you don’t already have one.
Click through for a rundown of patches released by Microsoft this month, as identified by Paul Henry, security and forensics analyst, Lumension.
Prioritizing your patches this month should be done partly based on your organization’s usage of the effected software. MS13-067 is a critical patch for nine CVEs in Sharepoint 2003, 2007 and 2010 that could allow a remote code execution. One of those CVEs was publically known and five are shared with Microsoft Office. If you use Sharepoint, patch this one first.
MS13-068 patches one CVE that requires user interaction within a malicious S/MIME email sent via Microsoft Outlook, also rated critical. The exploit code on this one is fairly complex, so it’s tough to execute but it is a bad vulnerability.
MS13-069 is a cumulative update for IE, with 10 privately disclosed CVEs impacting all versions of the popular browser.
Next up should be MS-070, a remote code execution in Object Linking and Embedding (OLE) in Windows XP and 2003. There have not been any active attacks; this one was privately reported. This is an important priority for any XP or 2003 system, but then again, upgrading should rank high on the priority list too.
MS13-071 is an important class patch that covers a remote code execution in Windows Theme.
MS13-072 is a remote code execution important patch for Office. The next two, MS13-073 and MS13-074 also hit Office, patching vulnerabilities in Excel and Access respectively. MS13-075 is a possible elevation of privilege issue in Office IME, the Chinese version.
MS13-076 is a vulnerability in kernel drivers that could allow elevation of privilege. MS13-077 patches a vulnerability in Windows Service Control Manager that could allow an elevation of privilege; MS13-078 is for a vulnerability in Front Page that could allow information disclosure, MS13-079 is vulnerability in Active Directory that could allow denial of service, as well.