microsoftnewWe’re kicking off the Patch Central blog with a fairly hefty Patch Tuesday from Microsoft. This month brings us fourteen security bulletins, half of which pertain to Microsoft Office. The good news is that those who are using the latest version, Office 2013, aren’t affected by most them; all but one of the vulnerabilities that are addressed are in Office 2003, 2007 and 2010.

Only four of the September patches are rated critical, although eight carry the possibility of remote code execution and three others present the risk of elevation of privileges. Supported Windows operating systems, from XP to Windows 8/RT, are affected by one or more of these updates.

We’ll take a brief look at each of the updates individually, beginning with those rated critical. Unless otherwise indicated, the patches apply to both 32 and 64 bit operating systems. All of these patches may require a system restart after installation. For more details about each update, see the Microsoft Security Bulletin (linked).

CRITICAL

MS13-067 (KB2834052) Affects SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3, SharePoint Server 2010 SP1, SharePoint Server 2010 SP2, and SharePoint Server 2013 (including SharePoint Foundation 2013), along with Microsoft Office Web Apps 2010 SP 1 and 2, specifically the Excel and Word web apps. The Excel Services, Microsoft Business Productivity Servers component, and Word Automation Services On SharePoint Server 2007 and 2010 are impacted.  The critical rating applies to all the versions of SharePoint except SharePoint Server 2013, for which it is rated important.

This update addresses ten vulnerabilities that include the possibility of remote code execution. It corrects the problem by enabling machine authentication check (MAC) and making corrections to the way SharePoint, Microsoft Office Services and Web apps handle request sanitization, undefined workflows and parsing of specially crafted files.

MS13-068 (KB2756473) Affects supported versions of Office 2007 and 2010, specifically Outlook. It does not affect Office 2003 SP1 or Office 2013/2013 RT, nor does it affect editions of Office that don’t include Outlook. It’s rated critical for all affected software.

This update addresses one vulnerability in Microsoft Outlook that was privately reported by Alexander Kink of n.runs AG. If a user opens a specially crafted email message in an affected version of Outlook, it could result in remote code execution. The update corrects the way Outlook parses specially crafted S/MIME messages.

MS13-069 (KB2870699) Affects all currently supported versions of Internet Explorer (6, 7, 8, 9 and 10) running on all currently supported and released operating systems. It does not affect Internet Explorer 11, which is available as a developer preview and as part of the (not yet released) Windows 8.1 and Windows Server 2012 R2 operating systems. It also does not affect Server Core installations, which do not include the web browser. The critical rating applies to IE running on client operating systems (XP, Vista, Windows 7, 8 and RT). It is rated critical for IE on server operating systems.

This is a cumulative security update for IE that also addresses 10 vulnerabilities that were privately reported through HP’s Zero Day Initiative and by Google Security Team members, which could result in remote code execution.

MS13-070 (KB2876217) Affects supported versions of Windows XP and Windows Server 2003 only. Other versions of Windows client and server operating systems are not affected. The critical rating applies to all affected operating systems.

This update addresses a vulnerability that was reported privately by a member of HP’s Zero Day Initiative, which could result in remote code execution. The exploit would involve a specially crafted OLE file that would need to be opened by the user for a successful attack.

IMPORTANT

MS13-071 (KB2864063) Affects supported versions of Windows XP and Vista, as well as supported versions of Server 2003 and 2008 (except Server Core installation). Does not affect later released operating systems (Windows 7, 8, RT and Windows Server 2008 R2 or Server 2012). Also does not affect operating systems currently in preview (Windows 8.1 and Server 2012 R2). It’s rated important, rather than critical, because user action is required for an attack to succeed.

This update addresses another privately reported vulnerability that could allow remote code execution. In this case, it’s accomplished by getting a user to apply a Windows theme that is specially crafted by the attacker.  The update corrects the way theme files and screensavers are handled.

MS13-072 (KB2845537) Affects supported versions of Microsoft Office 2003, 2007 and 2010, specifically Microsoft Word. The Microsoft Office Compatibility Pack SP3 (which is used to open the new XML-based Office format files with older versions of Office) and the Microsoft Word Viewer that’s used to open Word documents without having Word installed. Office 2013 (including 2013 RT) is not affected, nor is Office for Mac 2011. It’s rated Important for all affected software.

This update addresses thirteen vulnerabilities that were reported by members of the Google Security Team and Positive Technologies personnel. Opening a specially crafted file in an unpatched, affected version of Word or Word Viewer could allow remote code execution. The update corrects the way the XML parser in Word parses these files.

MS13-073 (KB2858300) Affects supported versions of Microsoft Office 2003, 2007, 2010 and 2013 (including 2013 RT), specifically Microsoft Excel. The Compatibility Pack SP3 and Excel Viewer are also affected, and in this case Office for Mac 2011 is also affected. It’s rated Important for all affected software.

This update addresses three vulnerabilities that were privately reported by members of CERT/CC and Positive Technologies. Opening a specially crafted file in an affected version of Excel or Excel Viewer could result in remote code execution. The update corrects the way the XML parser in Excel handles these files.

MS13-074 (KB2848637) Affects supported versions of Office 2007, 2010 and 2013, specifically Microsoft Access. Does not affect Office 2003 SP3. Also does not affect editions of Office that don’t include Access (such as Office 2013 RT and Office for Mac 2011, or the Home and Student editions, etc.). It’s rated Important for all affected software.

This update addresses three vulnerabilities that were privately reported by a member of Secunia SVCRP.  Opening a specially crated file in an affected version of Access could result in remote code execution. The update corrects the way the XML parser in Access handles these files.

MS13-075 (KB2878687) Affects Microsoft Office 2010 SP1 only, with Pinyin IME (Simplified Chinese).  Microsoft Office 2010 SP2 is not affected, nor are supported versions of Office 2007 and 2013/2013 RT. Other versions of the Simplified Chinese IME are not affected. It’s rated important for affected software.

This update addresses a vulnerability in the Office Pinyin Input Method Editor component for the Simplified Chinese language that was privately reported by Wei Wang of VulnHunt. It can be exploited by launching IE from the toolbar on a computer running the Simplified Chinese Pinyin IME, which could allow the attacker to run code in kernel mode. The update corrects the way the IME exposes configuration options.

MS13-076 (KB2876315)  Affects all currently supported released versions of Windows client and server operations systems (XP, Vista, Windows 7, 8 and RT as well as Server 2003, 2008/2008 R2, and 2012), including Server Core installations. Preview versions of Windows 8.1/8.1 RT and Server 2012 R2 are not affected. It’s rated important for all affected software.

This update addresses seven vulnerabilities that were privately reported by Google and Qihoo 360 Security Center personnel. If an attacker is able to log onto the system and run a specially crafted application, this could result in elevation of privileges. The update fixes the problem by correcting the way the kernel-mode driver handles objects in memory.

MS13-077 (KB2872339) Affects Windows 7 SP1 and Server 2008 R2 SP1, including Server Core installations. Other versions of Windows client and server (XP, Vista, Windows 8 and RT, Server 2003, 2008, and 2012) are not affected.  Preview versions of Windows 8.1/8.1 RT and Server 2012 R2 are also not affected. It’s rated important for affected software.

This update addresses one vulnerability that was privately reported. An attacker would have to persuade an authenticated user to execute an application or be able to log on locally in order to successfully exploit it, in which case it could result in elevation of privileges. The update fixes the problem by correcting the way the Service Control Manager handles objects in memory.

MS13-078 (KB2825621) Affects FrontPage 2003 SP3. It does not affect any version of Microsoft SharePoint Designer. It’s unclear from the bulletin whether Expression Web is affected. It’s rated important.

This update addresses one vulnerability that was privately reported by a member of Positive Technologies. If a user opened a specially crafted FrontPage file with the affected software, it could result in disclosure of information. The update fixes the problem by correcting the way FrontPage handles Document Type Definitions (DTD).

MS13-079 (KB2853587)  Affects supported versions of Windows Vista, 7 and 8, as well as Server 2008 and 2008 R2 for x86 and x64 and 2012. This includes Server Core installations. It does not affect supported released versions of XP or RT, nor Server 2003, 2008 and 2008 R2 for Itanium. It also does not affect preview versions of Windows 8.1/8.1 RT or Server 2012 R2 (including Server Core). It’s rated important.

This update addresses one vulnerability in Active Directory that was privately reported. If an attacker sends a specially crafted query to the LDAP service in AD, it could result in a denial of service (DoS) attack. The update fixes the problem by correcting the way LDAP handles such queries.

SUMMARY

This will be a moderately heavy patching load for organizations running the affected versions of Windows and Microsoft Office. We will be keeping an eye out for any problems that might emerge with any of these patches and will report them here on this blog. We’ll also be posting a summary of some of the most important third party patch releases for the month, and other patch-related news, so please stay tuned.

New update since this month’s Patch Tuesday: see here

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side), and be the first to get them!