It's raining updates in Microsoft's September Patch Tuesday

Well it's back to school for some, and for others it's back to the Microsoft Update grindstone with a whopping September Patch Tuesday release of 13 updates (14 were previously announced but only 13 showed up) ─ four rated Critical and nine more rated Important.

This flood of updates from Microsoft is significant. Running through the four Critical updates, we see a focus on the Office applications and foundations, with SharePoint front and center. Microsoft's update MS13-067 deals with SharePoint vulnerabilities that could lead to remote code execution from an attacker. With this type of vulnerability, a specially crafted file could give administrator privileges to an unauthorized user. Microsoft has attempted to resolve this security issue by enabling machine authentication checks (MAC) according to industry best practices, particularly regarding how SharePoint reads and parses files. Through this single update, Microsoft is attempting to resolve the following reporting security issues:

  • SharePoint Denial of Service Vulnerability
  • Microsoft Office Memory Corruption Vulnerability
  • MAC Disabled Vulnerability
  • SharePoint XSS Vulnerability
  • POST XSS Vulnerability
  • Five Memory Corruption Vulnerabilities in Word

Interestingly, the final five vulnerabilities covered by this updates were reported by the Google Security Team. Maybe Google Docs is suffering from these types of Memory Corruption vulnerabilities. Also, the cross-site scripting (XSS) vulnerabilities are notoriously difficult to detect, debug and resolve - making this patch a key update to deploy this month.

The next update for September Patch Tuesday is MS13-068, which deals with a Microsoft Outlook security issue and attempts to address a remote code execution (RCE) vulnerability that could allow remote code execution if a user opens, or even previews, an email message using Microsoft Outlook. These types of attacks are particularly dangerous as the user does not actually have to open "bad" email to allow an attacker to have remote administrator level access to his or her machine. The user simply has to "skim" past the offending email in Outlook, and the preview pane will read the email and potentially compromise that system. If you are not able to deploy this patch quickly, Microsoft recommends that you disable the Outlook preview and reading pane in versions of Office 2007 and 2010.

Our third Critical September update is MS13-069 and deals with 10 security vulnerabilities for Microsoft Internet Explorer (IE). This is a big IE update for a number of serious security vulnerabilities that could lead to remote code execution attacks. It replaces last month's August IE update MS13-059, as well as July’s MS13-055 and June’s MS13-047. This update for IE affects versions six through 10, and surprisingly, affects Windows RT and is rated Critical for that platform, as well. This security vulnerability does not affect version 11 of IE, but I’m not sure many people are using this version of Microsoft's web browser, since it was just released on July 25 at the Microsoft 2013 Build developer conference. If you can't deploy this update immediately, Microsoft suggests the following workarounds:

  1. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  2. Add sites that you trust to the Internet Explorer Trusted sites zone
  3. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  4. Add sites that you trust to the Internet Explorer Trusted sites zone

Unfortunately, this proposed workaround will disable pretty much any ActiveX control or third party add-on or tool for Internet Explorer, which may affect the viewing and use of certain websites. However, given that these vulnerabilities are now widely publicized, this may be a small price to pay until you can deploy this patch. Interestingly, at least one of the reported vulnerabilities that led to this Microsoft update was contributed by the HP Zero Day Initiative, which is described as:

"Launched on August 15, 2005, the Zero Day Initiative (ZDI) enriches our DVLabs with methodologies, expertise, and efforts of other researchers, encourages the reporting of zero-day vulnerabilities to affected vendors by rewarding contributors."

It looks like you can earn “points” for submitting well-described vulnerabilities and maybe even some cash. The ZDI website did not disclose how much is paid per vulnerability, but it did note that an anonymous submission would not be accepted, in case a particular security weakness was submitted by a “black-hat” hacker.

The fourth and final Critical update is MS13-070, is also related to remote code execution vulnerabilities, but this time in one of the core components of the Windows desktop and server platform ─ the Object Linking and Embedding feature more commonly known as OLE.  Microsoft describes the OLE functionality as:

"By using Microsoft's Object Linking and Embedding (OLE) technology, an application can provide embedding and linking support. OLE is the technology that applications use to create and edit compound documents. These are documents of one format, such as a Microsoft Word document, that contain embeddings of (or links to) documents of another format, such as Microsoft Excel. OLE 2.0 takes OLE even further by enabling in-place editing."

Historically, Microsoft OLE functionality has been a key component or a major dependency for many, if not most, third party applications, and still is in heavy use in most applications today. When Microsoft updates this kind of core functionality (like Kernel drivers), the application testing profile is generally quite large. The trouble with this type of security update is that it’s generally very difficult to know which applications are using the changed or updated OLE component and, subsequently, it is very difficult to know in advance which applications may have compatibility issues with the update.

Most organizations will not be able to test all of their applications prior to deploying this Microsoft patch; however, I do recommend that businesses test their business critical applications prior to this patch deployment. As a side note, if applications fail to copy and paste correctly, or fail to edit embedded images, documents or Excel files, then you know that MS13-070 is likely to blame. If you see the error message "OLE Error: Failed to Register Server," you are in deep trouble. 

The remaining 10 Microsoft Patch Tuesday updates are rated as Important and deal with remote code execution, elevation of privilege and dnial of service vulnerabilities. This large cohort of non-Critical, but still key Microsoft updates include patches to Windows Themes, the Windows Service Control Manager (the Windows applet that helps start and pause Services), and finally, Active Directory. 

A number of Important updates focus on a host of Microsoft Office products, including Access, FrontPage, Excel, and the core Office IME or Input Method Editor.  Microsoft describes an IME as:

"Input method editors or IMEs make it easier to type in languages (usually but not limited to East Asian ones) that are made up of thousands of characters that can't fit on a standard keyboard. When you buy a new Windows 8 or Windows RT PC, or install Windows 8 on an older PC, and add a language, Windows will automatically assign either a default keyboard or an IME for each language on the PC."

With this large number of patches for September's Patch Tuesday, and the real focus being on Microsoft Office products, we could be looking at a few bad days in the Office if there are any issues with patches recalled or updated again this month.

Copyright © 2013 IDG Communications, Inc.

Shop Tech Products at Amazon