For some of us, it is time to go to back to school. For others it is back to the grind, but at least it looks like September is a relatively light patch cycle. With this September Patch Tuesday from Microsoft we see four updates, with one update (for Microsoft Internet Explorer) rated as critical and the remaining three updates rated as important. September has historically been a difficult month to predict the nature and number of patches that Microsoft will release. Generally, September sees around five updates but we have seen some very large patch updates in the past: 13 updates released in 2013 and 10 patches released in 2010.
Before we begin this month’s Patch Tuesday review, we should mention that Microsoft has updated last month’s critical update MS14-045 due to reports of Blue-Screen-of-Death (BSOD) errors with this update to the Microsoft networking stack. In last month’s posting, I mentioned that this update might cause these kinds of errors (BSOD) with the warning to test your applications heavily before deployment. There is still some uncertainty about this patch, so you may want to wait another few weeks prior to deploying this update.
The first update for this September Patch Tuesday relates to 36 privately reported security issues in Microsoft Internet Explorer (IE) with the most serious issue leading to a remote code execution scenario. This IE update affects all versions of IE on both 32-bit and 64-bit platforms including the Windows RT platforms. Microsoft has been updating IE for a number of months now to address large numbers of privately reported security vulnerabilities relating to memory corruption issues. I have been commenting on this process for a while, as I believe that this an internal exercise of hardening IE against potential future attacks. With each passing month of major updates for IE, this theory appears to gain increasing levels of credibility. At the time of writing, there is an error (or typo) on the Microsoft Security TechCenter page that describes file information. It is currently (mistakenly) redirecting this month’s IE update to last month’s IE patch file manifest. If you click directly on the Knowledge Base (KB) article KB 2977629 link you will find the correct patch manifest which, just like previous months, contains another complete refresh of the IE installation code. This is a “patch now” update from Microsoft.
The first patch rated as important by Microsoft relates to a single privately reported security vulnerability in the Microsoft .NET framework that could lead to a denial of service scenario. There is a limited scope for this type of attack, as this security issue requires Microsoft’s ASP.NET to be installed and Microsoft IIS server to be installed and enabled. This update affects all versions of the .NET framework except version 3.5 Service Pack 1. Please add this update to your normal patch release cycle.
The second patch rated as important by Microsoft deals with Windows Task Scheduler and relates to an elevation of privilege scenario if an attacker gains access to an affected system and executes a specially crafted application. In a reverse of the usual support scenario for Microsoft, only the latest versions of their platforms are affected: Windows 8.x, Windows RT and Server 2012. Previous versions including Windows 7 and Server 2003 are not affected. In fact, though Microsoft does not mention it, Windows XP is probably not affected either. You can turn off Microsoft Task Scheduler easily enough and unless you are an automation freak (like me), you probably will not miss it. Given that the patch manifest for this update really only updates a single DLL and its associated support files (SCHEDSVC.DLL) I doubt very much that this security update will have a negative impact on your desktop or server) platform. Include this update in your normal patch update process.
The last update for this September Patch Tuesday is rated as important by Microsoft and only applies to Microsoft Lync Server 2013. This Lync Server vulnerability deals with exceptions and null references when handling user input. The number of files that has been updated for Lync Server 2013 is substantial and this patch should be tested thoroughly before updating your Lync 2013 servers.
3rd Party Updates
In addition to the Microsoft security related updates release this month, Adobe has released security bulletins and updates to four of its core, free products; Adobe Acrobat, Reader, Flash and Air,
This critical update for Adobe Acrobat and Adobe Reader was expected to be released today in synchronization with Microsoft’s Patch Tuesday. However, due to unexpected quality issues, this update is now scheduled for release on September 15.
Adobe will release an update for Flash and Air that addresses a memory leak and six memory corruption issues that if exploited may lead to a remote code execution scenario. Adobe has rated this update as a Priority 1 and it should get both the same attention and priority as the IE update MS14-052 this month.
This article is published as part of the IDG Contributor Network. Want to Join?