Admins work overtime as Microsoft fixes Office with bumper 7 patches

From desktop to server and back

Microsoft's September Patch Tuesday will hand admins hours of unwanted overtime, including applying an unusually high number of patches affecting Office plus three critical patches for SharePoint Server.

Of the 14 bulletins, the fact that half affect Office is probably the standout news. Only two of these seven are rated 'critical', but that does include one flaw (bulletin 2) that can be triggered simply by previewing an email in Outlook 2007 service pack 3 or all versions of Outlook 2010.

That's a warning shot. Most Office vulnerabilities require some form of user interaction but this one is open to exploit even when an email is not opened.

Elsewhere, SharePoint Server also takes a big hit, affected in bulletin 1 across all versions and Service Packs from Microsoft SharePoint Portal Server 2003 Service Pack 3 to Microsoft SharePoint Server 2013.

"Given the complexity of SharePoint and its services it's no wonder it's patched so frequently," commented Tyler Reguly of vulnerability and security management firm Tripwire.

"It's amazing that Microsoft is still supporting Frontpage 2003 and SharePoint Portal Server 2003. These platforms are 10 years old, and from a software lifecycle point of view, it's time to let them die and have customers upgrade," he said.

Overall, four of the fourteen September 2013 bulletins are rated 'critical'.

"If you are running a Microsoft heavy shop and have significantly invested in the back office technology of Sharepoint and all its glorious services, then this month is going to be very busy for you," agreed Ross Barrett of security firm Rapid7.

Other security experts are more worried by the number of flaws Microsoft is running up.

As Wolfgang Kandek of Qualys pointed out in an analysis, 14 bulletins brings Microsoft to the 80 mark for 2013, which means the firm will likely surpass last year's total of 82 and almost certainly beat even 2011's 100.

This was a "good reflection of how challenging the computer security business continues to be," he said.

The whack taken by Office is also significant, with the number for the suite already matching the number for the whole of 2012. However, it is still unlikely that Office will exceed the 30 for 2011 and high points of 2008 and 2011, which saw 55 each.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecuritysoftware

More about MicrosoftQualysRapid7Tripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place