On Thursday, September 5, Microsoft provided advance notice of the Operating System and application patches that are scheduled to be released on Tuesday, September 10. There are a total of
fourteen (revised to thirteen on 9/10) security bulletins scheduled to be released. Four are assigned a severity of CRITICAL and the remaining ten are assigned as severity of IMPORTANT. Critical security bulletins will be released for all current versions of Internet Explorer on workstation operating systems, Microsoft Office, Microsoft server software (both SharePoint and also 32, 64 and Itanium versions of Windows Server 2003), and Windows XP*. Reliable exploit code is expected to be made public for the Internet Explorer vulnerabilities within the next 30 days.
For September CRITICAL vulnerabilities are being patched in the following application products: Outlook 2007 sp3, Outlook 2010 sp1 and sp2 (both 32 and 64 bit versions).
Microsoft is also patching CRITICAL vulnerabilities in the following Server software and Office Services/Web Applications:
- SharePoint server 2003 – Windows SharePoint Services 2.0,
- SharePoint server 2007 – Windows SharePoint Services 3.0 sp3 (32 and 64 bit)
- SharePoint server 2010 sp1 and sp2 – SharePoint Foundation 2010 and SharePoint Server 2010 SP1 and SP2
- SharePoint server 2010 sp1 and sp2 – Excel Services, Microsoft Business Productivity Servers and Word Automation Servers
- Office Web apps 2010 sp1 and sp2 – Excel and Word Web app sp1 and sp2
- SharePoint server 2013 – SharePoint Foundation 2013 and SharePoint Server 2013 (designated as IMPORTANT)
*Note: Bulletin #2 – http://technet.microsoft.com/en-us/security/bulletin/MS13-060 is only applicable for Windows XP and Windows Server 2003 when the Bangali font is installed.
According to information available from Adobe, a security update will be released for Acrobat/Reader on Tuesday, September 10. http://www.adobe.com/support/security/bulletins/apsb13-22.html
Update Sept 10 – 10:30 a.m.
Adobe is releasing a security update for Flash and Air on September 10. Please see the following URL for details – http://www.adobe.com/support/security/bulletins/apsb13-21.html
Update Sept 10 – 2:30 p.m.
Microsoft has just provided additional details on the patches that are being released on Tuesday, September 10. As previously indicated, there are a total of four CRITICAL vulnerabilities that are being patched for September. Based on the scope of Operating Systems and Applications being patched, the AgriLife ISO recommendation is to patch workstations as soon as possible and server installations following adequate testing.
SharePoint vulnerabilities addressed in MS13-067 – remote code execution
While bulletin MS13-067 –( http://technet.microsoft.com/en-us/security/bulletin/ms13-067 ) addresses ten vulnerabilities in the Microsoft SharePoint Server, only one of the vulnerabilities is classified as CRITICAL and had been publically disclosed prior to Sept 10. As reliable exploit code is expected to be identified within the next 30 days, it is recommended that this patch be applied to SharePoint Systems as soon as possible following testing.
Note: For SharePoint server 2013 installations, the vulnerability is classified as IMPORTANT as opposed to CRITICAL.
Note2: Various Office applications such as Excel and Word running in SharePoint or Web application mode are also affected by the vulnerabilities addressed in MS13-067.
Outlook vulnerability address in MS13-068 – remote code execution
A single message certificate vulnerability in Outlook is being addressed in MS13-068 – http://technet.microsoft.com/en-us/security/bulletin/ms13-068 . The vulnerability has not been publically disclosed prior to September 10 and according to Microsoft, reliable exploit code is not expected to be made available that can leverage the vulnerability.
Internet Explorer vulnerabilities addressed in MS13-069 – remote code execution
A total of ten privately reported Internet Explorer vulnerabilities are being addressed in MS13-069 – http://technet.microsoft.com/en-us/security/bulletin/ms13-069 . With the exception of Internet Explorer version 11, all versions of the browser are affected. While none of the vulnerabilities had been disclosed publically prior to Sept 10, eight of the ten vulnerabilities are expected to be targeted by reliable exploit code within the next 30 days. As is normally the case, the vulnerabilities are only classified as CRITICAL for workstation operating systems. The vulnerabilities are classified as MODERATE for server operating system installations (though use of web browsing functions for server installations is strongly discouraged).
Vulnerability in Object Linking and Embedding addressed in MS13-070 – remote code execution
A single vulnerability is being addressed in MS13-070 – http://technet.microsoft.com/en-us/security/bulletin/ms13-070 . The vulnerability only applies to Windows XP-SP3 (32 bit), Windows XP-SP2 (64 bit), and all 32 and 64 bit versions of Windows server 2003.
Vulnerabilities addressed in MS13-071/MS13-077 – remote code execution and elevation of privilege
The remaining patches being released by Microsoft for September are classified as IMPORTANT and deal with remote code and also elevation of privilege vulnerabilities in Microsoft Office and also Windows.
The patch designated as MS13-071 only applies to Windows XP/Vista and Server 2003/2008 systems.
Patch MS13-072 addresses Word Memory corruption vulnerabilities in the following Microsoft Office products: Office 2003sp2/Word 2003sp2, Office 2007sp3/Word 2007sp3, Office 2010/Word 2010 (32 and 64 bit versions), and Office Compatibility pack and Word Viewer. For at least three of the thirteen vulnerabilities addressed in MS13-072, Microsoft has indicated reliable exploit code is likely to materialize in the next 30 days.
Patch MS13-073 addresses three privately reported vulnerabilities in Microsoft Office. The vulnerabilities are specific to Excel and apply to the following versions: Excel 2003, Excel 2007, Excel 2010 (32 and 64 bit versions), Excel 2013 (32 and 64 bit versions), Office for Mac 2011, Office Compatibility pack and Excel Viewer. Microsoft has indicated reliable exploit code is not expected to be made available within the next 30 days.
Patch MS13-074 addresses three privately reported vulnerabilities in Microsoft Office. The vulnerabilities are specific to Access and apply to the following versions: Access 2007, Access 2010sp1 and sp2 (32 and 64 bit versions) and Access 2013 (32 and 64 bit versions). Microsoft has indicated reliable exploit code IS expected to be made available within the next 30 days for at least 2 of the vulnerabilities.
Patch MS13-075 – only applies to Chinese versions of Windows
Patch MS13-076 addresses seven privately reported vulnerabilities in Kernel mode drivers of Windows and are specifically elevation of privilege vulnerabilities as opposed to remote code execution. Reliable exploit code is expected to be made available for at least four of the seven vulnerabilities being addressed in MS13-076. With the exception of Windows 8.1 and Server 2012R2, all workstation and server versions of Windows are affected.
Patch MS13-077 addresses a single privately reported vulnerability in the Service Control Manager module of Windows. The vulnerability only applies to Windows 7 and Windows Server 2008R2. According to Microsoft, reliable exploit code is expected to be difficult to develop.
Information disclosure and denial of service vulnerabilities addressed in MS13-078 and MS13-079
The remaining two patches (MS13-078 and MS13-079) address information disclosure and denial of service vulnerabilities respectfully. Patch MS13-078 applies to FrontPage 2003sp3. Patch MS13-079 applies to the LDAP service of Active Directory for the following installations: Windows Vista (32 and 64 bit), Windows 7, Windows 8, Windows Server 2008 (32 and 64 bit versions – Itanium not included), Windows Server 2008R2 and Windows Server 2012.
In addition to the Adobe Reader/Acrobat patch released on Sept 10, Adobe released patches for Flash and Air. Please see the following URL for details – http://www.adobe.com/support/security/bulletins/apsb13-21.html