Today’s Microsoft Patch Tuesday for September 2013 brings us 13 bulletins fixing 47 distinct vulnerabilities. Thirteen bulletins is one less than originally announced last week, number fourteen, which applies to .NET and addresses a Denial-of-Service (DoS) vulnerability, is being held back for further testing. Adobe also announced new versions that fix critical vulnerabilities for Flash, Adobe Reader and Shockwave.
Eight of the bulletins provide fixes for Remote Code Execution (RCE) vulnerabilities, and four of the vulnerabilities are considered critical as they can be triggered without specific user interaction. On the top of our list is MS13-068, which fixes a critical vulnerability in the S/MIME parsing of Microsoft Outlook. An attacker can exploit the certificate parsing algorithm by signing an e-mail and nesting over 256 certificates in the signature. The attack causes a buffer overflow, even if just visualized in Outlook’s preview pane. The Outlook versions in most popular Office versions, 2007 and 2010 are affected. On the plus side, Microsoft believes it is difficult to exploit and assigns it an Exploit Index value of “2.” More information canbe found on Microsoft’s SRD blog post on MS13-068.
Our second highest priority is MS13-069, which brings a new version of Internet Explorer (IE). With this vulnerability, an attacker could use a malicious webpage to gain control over the targeted machine. All versions of IE are affected, starting with IE6 and including IE10 on Windows 8 and Windows RT. Both MS13-68 and MS13-069 should be addressed by IT admins as quickly as possible.
The next bulletins to focus on concern Microsoft Office. MS13-072, which addresses Word, and MS13-073, which addresses Excel, both have file format vulnerabilities that can be used to take control of the targeted machine. Interstingly both bulletins credit researchers that have used fuzzing technology to find these file format vulnerabilities, in Word’s case it was Google who found 12 issues and in Excel’s case, the CERT/CC, who found the two file format vulnerabilties. To exploit these, an attacker needs to entice the target to open a malicious file, most likely through a spear phishing type of e-mail. Microsoft only rates these vulnerabilities as “important” because they require the target to cooperate. However, attackers have proven time and again that they have the necessary social engineering techniques to overcome that obstacle with ease.
The remaining “critical” bulletins are MS13-067 for Sharepoint 2003, 2007, 2010 and 2013, and MS13-070 for Microsoft Visio. For Sharepoint, an attacker could abuse the viewstate mechanism on two specific web pages and gain control over the server. By default, the pages require authentication, which limits the attack vector. If you have reconfigured authentication, this bulletin should be high on your list. Note that the bulletin contains work-around steps that you can configure immediately even if you cannot apply the patch right away. One of the other vulnerabilities addressed, a POST XSS has been disclosed publicly prior to today’s patch. For Visio, an attacker can abuse a file format vulnerability by providing a malicious file. The vulnerability can even be triggered in certain circumstances without opening the file, if the user previews the file icon in Windows Explorer.
The remaining bulletins are of lower severity, and are all rated “important.” They address file format vulnerabilities in Microsoft Access (MS13-074), local escalation of privilege vulnerabilities in the Windows kernel (MS13-076), IME (MS13-075), the Windows State Control Manager (MS13-077) and the Windows theme mechanism (MS13-071).
Don’t forget the Adobe Reader and Flash updates, of cource if you run Google Chrome or Internet Explorer 10 that is done automatically for you.
Overall, this is a larger than normal Patch Tuesday with a lot of focus on Microsoft Office with vulnerabilities in Outlook, Word, Excel, Visio and Access. Windows XP, Windows Server 2003 and Office 2003 are affected by eight of the 13 bulletins, which indicates that security researchers (for example Google’s team in MS13-072) continue to include those platforms even though they are on their way to retirement. Vulnerabilities in these applications will not go away after their retirement, so it is important that you have a migration plan for the post-April 2014 phase.