Brace yourself. Critical security patches from Microsoft are just around the corner

Buggy OutlookOn Tuesday, Microsoft will be releasing its latest bundle of essential security patches – protecting against exploitable vulnerabilities in various versions of Windows, Microsoft Outlook, Microsoft Office, Internet Explorer, Sharepoint and Frontpage.

Preliminary details of what the security updates will cover is detailed in Microsoft’s Patch Tuesday pre-announcement, but perhaps the most serious bugs are the critical remote code execution flaws in Outlook 2007 and Outlook 2010.

Those vulnerabilities could be exploited by hackers to run malicious code on your computer simply by getting you to view a boobytrapped email. It’s easy to imagine how such a flaw could be used in a targeted attack to inject a spyware Trojan horse into an organisation, for instance.

Office 2007 Service Pack 3 and Office 2010 Service Pack 1 are in the firing line, and will need to be patched.

Critical remote code execution vulnerabilities have also been uncovered in versions of SharePoint, while an information disclosure vulnerability needs to be patched in FrontPage 2003 Service Pack 3.

Additionally, “important”-rated vulnerabilities were also discovered in the Office 2013 editions of Excel and Access.

And – surprise, surprise – many different versions of Internet Explorer are being patches once again, this time against remote code execution vulnerabilities.

Even Mac users don’t manage to get away empty-handed this month. Microsoft Office for Mac 2011 is also lined up to receive an “important” update related to remote code execution.

There are also critical security patches for Windows XP and Windows Server 2003. But if you are still using those operating systems you should really start working out your upgrade plans – as Microsoft will no longer issue security updates for these platforms from April 2014.

If you continue to use Windows XP and Server 2003 after April 2014, you will be a sitting duck for malicious hackers.

For most home users the best way to keep on top of the regular security patches is to enable automatic updates.

Windows Update

Things are more complicated for businesses, however, who typically want to test that a security update doesn’t cause conflicts with their systems and force any downtime.

Last month, for instance, Microsoft had to reissue a security patch after the original version broke systems at some companies.

So spare a little love for your poor sysadmin if you see him next week – chances are that he’s going to be busy.

But, whatever your situation, don’t keep your head in the sand about security vulnerabilities. Criminals feast upon security patches like the one due to be published by Microsoft, attempting to reverse-engineer details of the flaws so that they might exploit them in the wild.

When Microsoft releases its patches you should attempt to roll them out across your systems without too much delay.

You can read more about in Microsoft’s advisory for the September 2013 Patch Tuesday.

Tags: , , , ,


, , , ,

3 Responses

  1. Yuhong Bao September 8, 2013 at 9:08 am #

    "Office 2013 escapes unscathed this month."
    It doesn't. And the FrontPage 2003 patch is for "Information Disclosure".

    • Graham Cluley
      Graham Cluley September 8, 2013 at 9:58 am #

      Thanks for the correction. I have corrected and clarified the wording above.

  2. Scott T September 9, 2013 at 1:39 pm #

    Windows Server 2003/R2 have extended support until 7/14/2015.

Leave a Reply

XSLT by CarLake