Admins work overtime as Microsoft fixes Office with bumper 7 patches

From desktop to server and back

Microsoft's September Patch Tuesday will hand admins hours of unwanted overtime, including applying an unusually high number of patches affecting Office plus three critical patches for SharePoint Server.

Of the 14 bulletins, the fact that half affect Office is probably the standout news. Only two of these seven are rated 'critical', but that does include one flaw (bulletin 2) that can be triggered simply by previewing an email in Outlook 2007 service pack 3 or all versions of Outlook 2010.

That's a warning shot. Most Office vulnerabilities require some form of user interaction but this one is open to exploit even when an email is not opened.

Elsewhere, SharePoint Server also takes a big hit, affected in bulletin 1 across all versions and Service Packs from Microsoft SharePoint Portal Server 2003 Service Pack 3 to Microsoft SharePoint Server 2013.

"Given the complexity of SharePoint and its services it's no wonder it's patched so frequently," commented Tyler Reguly of vulnerability and security management firm Tripwire.

"It's amazing that Microsoft is still supporting Frontpage 2003 and SharePoint Portal Server 2003. These platforms are 10 years old, and from a software lifecycle point of view, it's time to let them die and have customers upgrade," he said.

Overall, four of the fourteen September 2013 bulletins are rated 'critical'.

"If you are running a Microsoft heavy shop and have significantly invested in the back office technology of Sharepoint and all its glorious services, then this month is going to be very busy for you," agreed Ross Barrett of security firm Rapid7.

Other security experts are more worried by the number of flaws Microsoft is running up.

As Wolfgang Kandek of Qualys pointed out in an analysis, 14 bulletins brings Microsoft to the 80 mark for 2013, which means the firm will likely surpass last year's total of 82 and almost certainly beat even 2011's 100.

This was a "good reflection of how challenging the computer security business continues to be," he said.

The whack taken by Office is also significant, with the number for the suite already matching the number for the whole of 2012. However, it is still unlikely that Office will exceed the 30 for 2011 and high points of 2008 and 2011, which saw 55 each.

Tags applicationssecurityMicrosoftsoftware


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Continuity Management Solutions

Automate business-continuity and disaster-recovery planning and enable crisis management in one solution.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.