The September 2013 Patch Tuesday release found Microsoft one bulletin shy of what it had announced in its advance...
notification announcement last week. In all, 13 patches were released, 4 deemed "critical" and the rest tagged "important." A 14th patch, addressing a denial-of-service vulnerability in .NET, was held back for further testing. Adobe used the monthly patch day to announce fixes for critical vulnerabilities in Flash, Adobe Reader and Shockwave.
Included in the four critical bulletins was the monthly rollup of Internet Explorer fixes, including 10 privately reported vulnerabilities in the browser, some of them enabling remote code execution. Other critical patches tackled Microsoft Office products and flaws in SharePoint.
Qualys Chief Technology Officer Wolfgang Kandek said that, for him, the top bulletin "is MS13-068, which fixes a critical vulnerability in the S/MIME parsing of Microsoft Outlook. An attacker can exploit the certificate-parsing algorithm by signing an email and nesting over 256 certificates in the signature. The attack causes a buffer overflow, even if just visualized in Outlook's preview pane. The Outlook versions in the most popular Office versions, 2007 and 2010, are affected."
Kandek also called attention to MS13-072, which addresses Word, and MS13-073, which addresses Excel, noting that "both have file format vulnerabilities that can be used to take control of the targeted machine." Kandek found it interesting that "both bulletins credit researchers that have used fuzzing technology to find these file format vulnerabilities; in Word's case it was Google who found 12 issues and in Excel's case the CERT/CC found the two file format vulnerabilities."
Microsoft SharePoint also came in for some fixes, with Kandek noting that "an attacker could abuse the ViewState mechanism on two specific webpages and gain control over the server. By default, the pages require authentication, which limits the attack vector. If you have reconfigured authentication, this bulletin should be high on your list."
Ross Barrett, senior manager of security engineering at Boston-based Rapid7, noted that "if you are running a Microsoft-heavy shop and have significantly invested in the back office technology of SharePoint and all its glorious services, then this month is going to be very busy for you. There are lots of patches to deploy, many of which are high risk. Office vulnerabilities are typically mitigated by the fact that they require a user to interact with something malicious, either through an attachment or a link, in order to be exploited. But with the Office Server [SharePoint], that degree of mitigation may go away and other factors of defense in depth will come into play."