Microsoft's September Patch Tuesday release had no "critical" patches for the first time in a long time.
Microsoft fixed 15
vulnerabilities across five security bulletins as part of its September Patch
publicizing the patch details a
few days early last week
, Microsoft officially released the security
bulletins and the accompanying patches
on Sept. 13. As was disclosed in the
, none of the patches in this month's update are considered
"Though there are no
critical updates this month, these vulnerabilities can pave the way for cyber-criminals
to execute more severe attacks, such as remote-code execution or remote-information
disclosure," Dave Marcus, director of security research and communications
at McAfee Labs, told eWEEK.
The bulletin that fixed an
arbitrary code execution vulnerability in Excel (MS11-072) was rated as high
priority by security researchers. The issue exists in all versions of Excel,
including 2010. Attackers could create malicious Excel files to take control of
the system just by tricking an unsuspecting user into opening it, according to
Wolfgang Kandek, CTO of Qualys.
In light of ongoing
spear-phishing and targeted attacks that have used malicious Excel documents
and links, the bulletin was "the most relevant and important," Kurt
Baumgartner, a senior security researcher at Kaspersky Lab, wrote on the Securelist
The patch fixing the code-execution
vulnerability in Microsoft Office versions 2003, 2007 and 2010 (MS11-073),
including Microsoft Word, should also be prioritized, according to Kandek. Like
the Excel vulnerability, attackers could use a malicious Word file, a common
attack vector, to execute code on victims' machines, Kandek wrote on the Laws of Vulnerabilities
Microsoft continued fixing
the DLL preloading issue that was identified last year in each of its products.
In this update, the issue was fixed in deskpen.dll component (MS11-071). The
DLL preloading bug affected all versions of Windows, according to Microsoft's
"We've yet to see any
exploits targeting one of these vulnerabilities," Joshua Talbot, security
intelligence manager of Symantec Security Response, wrote on the Symantec
Security Response blog.
The patches for Sharepoint
2007, Sharepoint 2010 and Windows Internet Name Service (WINS) for Windows
Server 2003 and Server 2008 fixed elevation-of-privilege issues. Researchers at
Core Security Technologies discovered and reported the WINS vulnerability. An
attacker could exploit the system running the unpatched WINS service to elevate
privileges by sending a user a specially crafted WINS replication packet. The
attacker must have valid log-on credentials and be able to log on locally to
exploit this vulnerability.
These patches "only
apply to certain software configurations," said Tyler Reguly, technical
manager of security research and development for nCircle.
Microsoft also released another
update revoking six digital certificates signed by Entrust and Cybertrust, who
issued them on behalf of the compromised Dutch certificate authority DigiNotar.
Microsoft on Sept. 6 moved DigiNotar's root certificates to the Untrusted
, which effectively blocks Windows from loading any
Website or running any application with a DigiNotar certificate. The company
also updated Internet Explorer immediately after the breach
"This update should
probably be kept at the top of IT admins' to-do lists-even before any of
today's patches-as there are attacks occurring in the wild leveraging the
compromised certificates," said Talbot.
Microsoft also reminded its
customers that despite the "Comodohacker's" boasts, Windows Update
was not compromised by the fake certificates from DigiNotar and can still be
"Windows Update is not
at risk from fraudulent certificates as the update client will only install
binaries signed by our own root CA [certificate authority] certificate,"
said Jerry Bryant, the group manager of Trustworthy Computing at Microsoft.