Admins work overtime as Microsoft fixes Office with bumper 7 patches

From desktop to server and back

Microsoft's September Patch Tuesday will hand admins hours of unwanted overtime, including applying an unusually high number of patches affecting Office plus three critical patches for SharePoint Server.

Of the 14 bulletins, the fact that half affect Office is probably the standout news. Only two of these seven are rated 'critical', but that does include one flaw (bulletin 2) that can be triggered simply by previewing an email in Outlook 2007 service pack 3 or all versions of Outlook 2010.

That's a warning shot. Most Office vulnerabilities require some form of user interaction but this one is open to exploit even when an email is not opened.

Elsewhere, SharePoint Server also takes a big hit, affected in bulletin 1 across all versions and Service Packs from Microsoft SharePoint Portal Server 2003 Service Pack 3 to Microsoft SharePoint Server 2013.

"Given the complexity of SharePoint and its services it's no wonder it's patched so frequently," commented Tyler Reguly of vulnerability and security management firm Tripwire.

"It's amazing that Microsoft is still supporting Frontpage 2003 and SharePoint Portal Server 2003. These platforms are 10 years old, and from a software lifecycle point of view, it's time to let them die and have customers upgrade," he said.

Overall, four of the fourteen September 2013 bulletins are rated 'critical'.

"If you are running a Microsoft heavy shop and have significantly invested in the back office technology of Sharepoint and all its glorious services, then this month is going to be very busy for you," agreed Ross Barrett of security firm Rapid7.

Other security experts are more worried by the number of flaws Microsoft is running up.

As Wolfgang Kandek of Qualys pointed out in an analysis, 14 bulletins brings Microsoft to the 80 mark for 2013, which means the firm will likely surpass last year's total of 82 and almost certainly beat even 2011's 100.

This was a "good reflection of how challenging the computer security business continues to be," he said.

The whack taken by Office is also significant, with the number for the suite already matching the number for the whole of 2012. However, it is still unlikely that Office will exceed the 30 for 2011 and high points of 2008 and 2011, which saw 55 each.

Tags: applications, security, Microsoft, software

AT&T hacker Weev released from prison after appeals court overturns conviction

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-2404

Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-2404

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.