Patch Tuesday: Microsoft Fixes Serious Outlook Error, Critical SharePoint Server Flaws


Microsoft issued critical security updates addressing a bevy of flaws in Internet Explorer, a serious error in Outlook and a SharePoint server zero-day vulnerability.

The software giant issued 13 bulletins as part of its September 2013 Patch Tuesday round of updates, including four critical bulletins. The repairs addressed 47 vulnerabilities in Microsoft Windows, Office, Internet Explorer and SharePoint server.

Vulnerability management experts said a critical update to Microsoft's Office Server software should gain the most attention from Windows administrators. Microsoft addressed a zero-day flaw and nine other vulnerabilities in SharePoint that could allow remote code execution. The issues stem from the way Microsoft Office Services and Web Apps parse content when handling requests sent to a Web Server. In addition, the server has two cross-site scripting vulnerabilities that can be used by an attacker to carry out attacks and run malicious scripts while masquerading as the logged-in user. The update impacts all currently supported versions of SharePoint, Microsoft said.

[Related: Top 10 Malware Threats To Microsoft PCs]

"If you use SharePoint, patch this one first," said Paul Henry, security and forensics analyst at Scottsdale, Ariz.-based Lumension, adding that some of the flaws repaired in SharePoint are difficult to exploit but particularly dangerous coding errors.

The software maker also issued a critical update to Microsoft Outlook that resolves a flaw that could be targeted by an attacker tricking a user into opening a malicious email message. The flaw can enable an attacker to gain the same user rights as the local user. Microsoft said it has not detected any active attacks targeting the coding error. The issue impacts Microsoft office 2007 and 2010.

The software maker addressed 10 critical vulnerabilities in Internet Explorer, including a remote code execution vulnerability that could be used in drive-by attacks targeting IE users, Microsoft said. The update impacts all currently supported versions of Internet Explorer.

"This is pretty significant, and administrators will have to move fast to patch this before exploits appear," said Ross Barrett, senior manager of security engineering at Boston-based Rapid7.

Microsoft also resolved a critical vulnerability in Windows, repairing a flaw in Windows XP and Windows Server 2003 that impacts OLE, its core interface for providing data storage for applications. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user, Microsoft said. The security update comes just months before Apple pulls the plug on support for Windows XP. It's scheduled to be terminated in April 2014.

In addition, Microsoft issued updates rated important for a variety of its other software. Flaws were repaired in Microsoft Excel and Access. Patches were also made available to address coding errors in the Windows Kernel-mode Drivers. Microsoft issued a patch repairing a flaw in Microsoft FrontPage that could enable information disclosure and fixing a coding error in Active Directory that could cause it to crash.

PUBLISHED SEPT. 10, 2013