Microsoft plans to patch 15 vulnerabilities in Microsoft Windows, Office and Server software as part of the September Patch Tuesday release.
Microsoft will release five security bulletins, all of which are rated "important," according to the Microsoft Security Bulletin Advance Notification on Sept. 8. The fact that none of the patches were rated "critical" is unusual.
Microsoft defines patches as "important" if the bugs require some kind of user-intervention to execute the malicious payload, such as tricking the user into visiting a malicious Website and downloading malware.
The September release is fairly light and a welcome change from the last few months in which Microsoft issued an average of more than 10 bulletins. In August, Microsoft issues patches for 22 vulnerabilities in 13 bulletins. Even though none of the September vulnerabilities are rated critical, administrators should still quickly deploy the patches, Paul Henry, a security and forensic analyst for Lumension, told eWEEK.
Organizations can "gain a false sense of security" during light months and sometimes adopt "an attitude of complacency" towards vulnerabilities if they aren't rated as critical, Marcus Carey, a security researcher at Rapid 7, told eWEEK. Many organizations allow IT departments to take up to three months to patch "important" vulnerabilities, Carey said.
Attackers may not be able to gain full root privileges over target machines through "important" vulnerabilities, but they can exploit the bugs to get in the door, according to Carey.
After the initial compromise, attackers can use other vulnerabilities they find to escalate privileges to essentially wind up with the same result, Carey said.
The bulletins all addressed elevation of privilege and remote code execution vulnerabilities and may require a restart. Administrators should prioritize the remote code execution patches over the privilege escalation ones, according to security experts.
According to the preview announcement, two bulletins address operating system issues, and include both 32-bit and 64-bit versions of Windows XP, Windows Server 2003, 2008, and 2008 R2, Vista and Windows 7. Two bulletins fix bugs in Microsoft Office 2003, 2007 and 2010, Microsoft Office 2004, 2008 and 2011 for Mac, Microsoft Office Groove, SharePoint Workspace 2010 and the Excel Viewer. The final bulletin is for SharePoint flaws.
The light patching load is good news for IT administrators as it frees up time to address the potentially compromised digital certificates after the DigiNotar breach, according to Henry. "Many IT professionals are already busy dealing with replacing their server certificates and also updating user browser/OS software to revoke trust in compromised certificates so this Patch Tuesday is a welcome break," Henry said.
Microsoft updated all supported versions of the Windows operating system earlier this week to revoke all five DigiNotar root certificates. With the update, Internet Explorer would automatically block sites claiming certificates from the compromised Dutch certificate authority. While the changes have updated immediately, the company delayed the change for its Dutch customers by a week to give them a chance to obtain new SSL certificates from trusted sources. The update will arrive for Dutch customers on the same day as Patch Tuesday, Microsoft said.
Microsoft is schedule to distribute the September Patch Tuesday updates on Sept. 13.