Critical fixes for Office, Outlook and IE in September Patch Tuesday


Windows admins will have their hands full with the large number of security updates in this month’s Patch Tuesday.

There are fixes for 47 vulnerabilities in 13 bulletins for September’s Patch Tuesday cycle. Four of this month’s bulletins are critical. This year’s total for bulletins is up to 79, a considerable increase from 62 at the same time last year.

One critical bulletin this month addresses a remote code execution vulnerability in Microsoft Outlook, which can be exploited if users open certain emails in affected Outlook editions.

Patching this vulnerability is the most important for enterprises that  run Outlook software, because Outlook just needs to be open in order for it to be exploited, said  Amol Sarwate, director of IT security firm Qualys Inc.’s vulnerability labs, based in Redwood Shores, Calif.

If users keep Outlook open overnight, the application’s preview pane would open the email which could allow an attacker the same user rights as the local user on the workstation, Sarawte said.

Outlook is installed and running on a lot more user machines than other applications, which makes it a high priority, said Wolfgang Kandek, chief technology officer of Qualys.

Multiple versions of Internet Explorer will also receive critical fixes in a cumulative security update for ten remote code execution vulnerabilities. Attackers could gain users’ rights if they visit certain malicious webpages using the Internet browser.

Windows Server is also affected by security updates, including a denial of service vulnerability in Active Directory’s Lightweight Directory Service (LDS).

“Most Active Directory servers are not exposed to the Internet,” said Sarwate, so an attacker would need to have already infiltrated the system in order to create havoc.

Another critical bulletin includes fixes for ten remote code execution vulnerabilities in SharePoint. The most severe vulnerability in bulletin MS13-067 could be exploited if attackers send content to affected SharePoint servers.

This month’s important bulletins also cover remote code execution, denial of service, elevation of privilege and information disclosure vulnerabilities. Many of these security updates affect Microsoft Office applications

One of these important bulletins covers more than a dozen remote code execution vulnerabilities in Office software that could give attackers user rights if users open certain files with Office.

Other important bulletins for Office include fixes for remote code execution vulnerabilities in affected versions of Access and Excel, as well as an elevation of privilege vulnerability in the Chinese version of Microsoft Office Input Method Editor (IME).

The other important bulletins in this Patch Tuesday cycle include security updates for Active Directory, kernel-mode drivers and Microsoft FrontPage. A complete list of this month’s security updates can be viewed here.

Phone 5S Phishing Mail Arrives in time for launch.

While millions of mobile users are anticipating the launch of the new iPhone (5S and 5C), cybercriminals are already making their move to distribute spam that promise to give away the said devices for free, in the guise of a contest.

We saw samples of spammed messages that attempted to spoof an Apple Store email notification. The said message informs recipients that they won the latest iPhone 5S mobile phones and iPad.


Figure 1. Fake Apple email

To get these prizes, they are asked to go to a specific website and disclose their email address and password. This will obviously result in your credentials ending up in the hands of cybercriminals.


Figure 2. Phishing page

The content of the message and the sender’s email address are obviously fake. However, its combination of perfect timing plus popular social engineering hook may cause users to fall into the spammers trap. The most important thing to know is:  “if it’s too good to be true, it probably is” .

Feedback provided by the Smart Protection Network indicates that this mail is particularly effective in targeting Southeast Asian users:


Figure 3. Most affected countries