Patch Tuesday for September sees 47 vulnerabilities addressed
This month’s Patch Tuesday is a fairly sizeable one, with 13 bulletins covering 47 vulnerabilities.
Microsoft pulled a vulnerability related to a .Net issue, but a host of flaws remained in yesterday’s release, covering Windows, Office, Internet Explorer and SharePoint.
Four of the Patch Tuesday bulletins were ranked as critical, nine as important. Microsoft has singled out three flaws it believes should take priority.
Busy Patch Tuesday
The first is one that resides in Outlook and could be exploited to let a hacker execute code remotely.
“This privately reported issue could allow remote code execution if an email carrying a specially crafted S/MIME certificate is viewed or previewed on an affected system,” Microsoft said in a blog post.
“Creating S/MIME certificates is trivial, but creating the specific one in the precise manner needed to execute code will be difficult. Still, the possibility is there and that is why we listed this update as our highest priority for this month.”
The MS13-069 bulletin is also key, fixing 10 issues in all supported versions of Internet Explorer, which could be exploited if a user is directed to a specially-crafted malicious website.
There are 10 issues in SharePoint Servers too, allowing for remote code execution. To exploit them, an attacker could send specially-crafted content to an affected server, which would fail to properly validate the input and potentially let the hacker execute code on the server.
“The top three criticals should take priority this month but don’t forget about the balance of importants. It’s possible that a string of importants could be chained together and, with an escalation of privilege, you would have a big problem,” warned Paul Henry, security and forensics analyst at Lumension.
“Total Microsoft patches to-date for 2013 now sit at 79. This is well ahead of the 63 patches released through September, 2012.”
How much do you know about information security? Try our quiz and find out!