Windows admins will have their hands full with the large number of security updates in this month’s Patch Tuesday.
There are fixes for 47 vulnerabilities in 13 bulletins for September’s Patch Tuesday cycle. Four of this month’s bulletins are critical. This year’s total for bulletins is up to 79, a considerable increase from 62 at the same time last year.
One critical bulletin this month addresses a remote code execution vulnerability in Microsoft Outlook, which can be exploited if users open certain emails in affected Outlook editions.
Patching this vulnerability is the most important for enterprises that run Outlook software, because Outlook just needs to be open in order for it to be exploited, said Amol Sarwate, director of IT security firm Qualys Inc.’s vulnerability labs, based in Redwood Shores, Calif.
If users keep Outlook open overnight, the application’s preview pane would open the email which could allow an attacker the same user rights as the local user on the workstation, Sarawte said.
Outlook is installed and running on a lot more user machines than other applications, which makes it a high priority, said Wolfgang Kandek, chief technology officer of Qualys.
Multiple versions of Internet Explorer will also receive critical fixes in a cumulative security update for ten remote code execution vulnerabilities. Attackers could gain users’ rights if they visit certain malicious webpages using the Internet browser.
Windows Server is also affected by security updates, including a denial of service vulnerability in Active Directory’s Lightweight Directory Service (LDS).
“Most Active Directory servers are not exposed to the Internet,” said Sarwate, so an attacker would need to have already infiltrated the system in order to create havoc.
Another critical bulletin includes fixes for ten remote code execution vulnerabilities in SharePoint. The most severe vulnerability in bulletin MS13-067 could be exploited if attackers send content to affected SharePoint servers.
This month’s important bulletins also cover remote code execution, denial of service, elevation of privilege and information disclosure vulnerabilities. Many of these security updates affect Microsoft Office applications
One of these important bulletins covers more than a dozen remote code execution vulnerabilities in Office software that could give attackers user rights if users open certain files with Office.
Other important bulletins for Office include fixes for remote code execution vulnerabilities in affected versions of Access and Excel, as well as an elevation of privilege vulnerability in the Chinese version of Microsoft Office Input Method Editor (IME).
The other important bulletins in this Patch Tuesday cycle include security updates for Active Directory, kernel-mode drivers and Microsoft FrontPage. A complete list of this month’s security updates can be viewed here.