September's Patch Tuesday is live! The 14 bulletins predicted were cut to 13, with the .NET patch landing on the cutting room floor. A patch getting pulled after the advance notice is up usually indicates that late testing revealed an undesired interaction with another product or component.
Of the 13 bulletins remaining they are split 7/6 between the MS Office family and Windows OS patches, if we are counting the Internet Explorer patch as part of the OS patching, anti-trust lawsuits notwithstanding.
There are 4 advisories labelled as Critical, Microsoft's highest rating. All of these are going to be important, subjective to the deployment of various versions of Windows in your environment. One of these is going to be the monthly IE update, which is always important for those poor unfortunates who have not yet found a better browser. All versions of IE require this update.
Microsoft is putting top priority on MS13-067, which affects SharePoint Server. The advisory covers multiple CVEs, but the most severe of those (CVE-2013-1330) allows remote code execution by malicious content sent to the server without user interaction, genuine realtime remote exploitation. Of the 10 CVEs, one is public, but supposedly that is not CVE-2013-1330. There is a workaround for CVE-2013-1330 related to enabling state inspection for message authentication code attributes (see the advisory for more details).
Of the other two Criticals, both require user interaction to trigger the vulnerability, however MS13-068 affecting Microsoft Outlook is particularly toxic because it can triggered by viewing malicious content in the Outlook preview pane. Apparently, we have gone back in time and the risks from 2004 are real again. This is pretty significant and administrators will have to move fast to patch this before exploits appear.
MS13-070 is concerning because it only applies to XP and Server 2003 and those vulnerabilities tend to be less "contained" than more mature versions of Windows. XP and Office 2003 have shown no let up in patching frequency, despite the end of support for XP looming just around the corner in April 2014. It will be here before we know it, and who knows what patches will never make it out the door, let alone be found after that date in one of the world's most widely deployed operating systems.
If you are running an MS heavy shop and have significantly invested in the back office technology of SharePoint and all it's glorious services, then this month is going to be very busy for you. Lots to patch, many of which are high risk. Office vulnerabilities are typically mitigated by the fact that they require a user to interact with something malicious, either through an attachment or a link, in order to be exploited. But with the Office Server (SharePoint) that degree of mitigation may go away and other factors of defence in depth will come into play.
This was a somewhat troublesome Patch Tuesday for our coverage team due to Microsoft's content behaving in unexpected ways. In this case, it's something that our users may also encounter so I'm outlining it here.
Basically, some of the patches for MS13-072 and MS13-073 are re-offered by Windows Update indefinitely even after they are applied correctly. The Microsoft Baseline Security Analyzer (MBSA) also continues to advise that the hosts are vulnerable after the patch is applied. The specific patches where we observed this are:
- KB2760411 (MS13-072)
- KB2760583 (MS13-073)
- KB2760588 (MS13-073)
- KB2760590 (MS13-073)
- KB2810048 (MS13-073)
Rapid7's coverage of these advisories should be accurate and free from false positives and false negatives. However, users might incorrectly suspect a false negative in our scans since the patch will be re-offered by Windows Update.
We have reported these issues to the Office support team at Microsoft and they are investigating. We also saw discussion of these concerns in numerous Microsoft support forums yesterday, so it seems the problem is widespread. We will update this posting if Microsoft addresses the issue.