Microsoft plans to patch 15 vulnerabilities in
Microsoft Windows, Office and Server software as part of the September
Patch Tuesday release.
Microsoft will release five security bulletins, all of which are rated "important," according to the Microsoft Security Bulletin Advance Notification on Sept. 8. The fact that none of the patches were rated "critical" is unusual.
Microsoft defines patches as "important" if the
bugs require some kind of user-intervention to execute the malicious
payload, such as tricking the user into visiting a malicious Website
and downloading malware.
The September release is fairly light and a
welcome change from the last few months in which Microsoft issued an
average of more than 10 bulletins. In August, Microsoft issues patches
for 22 vulnerabilities in 13 bulletins. Even though none of the
September vulnerabilities are rated critical, administrators should
still quickly deploy the patches, Paul Henry, a security and forensic
analyst for Lumension, told eWEEK.
Organizations can "gain a false sense of security"
during light months and sometimes adopt "an attitude of complacency"
towards vulnerabilities if they aren't rated as critical, Marcus Carey,
a security researcher at Rapid 7, told eWEEK. Many organizations allow
IT departments to take up to three months to patch “important”
vulnerabilities, Carey said.
Attackers may not be able to gain full root
privileges over target machines through "important” vulnerabilities,
but they can exploit the bugs to get in the door, according to Carey.
After the initial compromise, attackers can use
other vulnerabilities they find to escalate privileges to essentially
wind up with the same result, Carey said.
The bulletins all addressed elevation of privilege
and remote code execution vulnerabilities and may require a restart.
Administrators should prioritize the remote code execution patches over
the privilege escalation ones, according to security experts.
According to the preview announcement, two
bulletins address operating system issues, and include both 32-bit and
64-bit versions of Windows XP, Windows Server 2003, 2008, and 2008 R2,
Vista and Windows 7. Two bulletins fix bugs in Microsoft Office 2003,
2007 and 2010, Microsoft Office 2004, 2008 and 2011 for Mac, Microsoft
Office Groove, SharePoint Workspace 2010 and the Excel Viewer. The
final bulletin is for SharePoint flaws.
The light patching load is good news for IT
administrators as it frees up time to address the potentially
compromised digital certificates after the DigiNotar breach, according
to Henry. "Many IT professionals are already busy dealing with
replacing their server certificates and also updating user browser/OS
software to revoke trust in compromised certificates so this Patch
Tuesday is a welcome break," Henry said.
Microsoft updated all supported versions of the
Windows operating system earlier this week to revoke all five DigiNotar
root certificates. With the update, Internet Explorer would
automatically block sites claiming certificates from the compromised
Dutch certificate authority. While the changes have updated
immediately, the company delayed the change for its Dutch customers by
a week to give them a chance to obtain new SSL certificates from
trusted sources. The update will arrive for Dutch customers on the same
day as Patch Tuesday, Microsoft said.
Microsoft is schedule to distribute the September Patch Tuesday updates on Sept. 13.
IT Security & Network Security News & Reviews News & Reviews 
