Helen Hunt Jackson famously wrote, “By all lovely tokens September is here, with summer’s best of weather and autumn’s best of cheer.” I share Helen’s clear adoration for this time of year. As a sports fan, there are so many “lovely tokens” to enjoy. The baseball pennant race is heating up, college and pro football are underway, and various soccer leagues (real football to the rest of the world) continue. As a parent, there are the “lovely tokens” of my kids returning to school, which brings a reminder of summer’s passing and excitement for another year of learning, growing, and adjusting to a new routine. For me, the routine is set: the second Tuesday of the month is here and with it comes a round of “lovely tokens” to help protect our customers.

This month we released 13 bulletins–four Critical and nine Important–which addressed 47 unique CVEs in Microsoft Windows, Office, Internet Explorer and SharePoint. For those who need to prioritize their deployment planning, we recommend focusing on MS13-067, MS13-068, and MS13-069 first.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

MS13-068 | Vulnerability in Microsoft Outlook Could Allow Remote Code Execution

In preparing for this month’s release, this is the first bulletin that caught my attention, and it likely caught yours as well. This privately reported issue could allow remote code execution if an email carrying a specially craft S/MIME certificate is viewed or previewed on an affected system. As detailed in the SRD Blog, creating S/MIME certificates is trivial, but creating the specific one in the precise manner needed to execute code will be difficult. Still, the possibility is there and that is why we listed this update as our highest priority for this month. We have not detected any active attacks here and if you have automatic updating enabled, you won’t need to take any action to be protected from this issue.

MS13-069 | Cumulative Security Update for Internet Explorer

This security update resolves 10 issues in all supported versions of Internet Explorer. All 10 were privately disclosed and we have not detected any active attacks for anything addressed by the bulletin. All CVEs are caused by the browser improperly accessing an object in memory. If you visit a specially crafted website with an affected system, an attacker could execute arbitrary code in the context of the current user. This security update is rated Critical for all versions of Internet Explorer.

MS13-067 | Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

This update for SharePoint Servers also addresses 10 issues, but here, only CVE-2013-1330 is Critical. While CVE-2013-3180, an Important-rated issue, was publicly disclosed, we have not detected any active attacks involving any of these issues. For the one Critical CVE here, an attacker could send specially crafted content to an affected server. After a failure to properly validate the input,
the attacker could then execute code on the system in the context of the W3WP service account. SharePoint Server 2013 is not affected by this Critical issue.

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).

Finally, we are revising Security Advisory 2755801 to provide the latest update for Adobe Flash Player in Internet Explorer. Full details about this update can be found in the advisory.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 11, 2013, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope you find some lovely tokens to enjoy this month. Pumpkin spice can be a great additive this time of year; just remember not everything needs it. I look forward to hearing your questions in the webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing