Microsoft security bulletin for September 10 2013

Microsoft security bulletin for September 10 2013
Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).
http://technet.microsoft.com/en-us/security/bulletin...

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:



Critical (4)

Microsoft Security Bulletin MS13-067 - Critical
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)
http://go.microsoft.com/fwlink/?LinkId=293350

Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)
http://go.microsoft.com/fwlink/?LinkID=307055

Microsoft Security Bulletin MS13-069 - Critical
Cumulative Security Update for Internet Explorer (28706990)
https://technet.microsoft.com/en-us/security/bulleti...

Microsoft Security Bulletin MS13-070 - Critical
Vulnerability in OLE Could Allow Remote Code Execution (2876217)
https://technet.microsoft.com/en-us/security/bulleti...




Important (9)

Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)
http://go.microsoft.com/fwlink/?LinkID=314046

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)
http://go.microsoft.com/fwlink/?LinkId=299217

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)
http://go.microsoft.com/fwlink/?LinkId=293351

Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)
http://go.microsoft.com/fwlink/?LinkId=308989

Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)
http://go.microsoft.com/fwlink/?LinkId=318022

Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315)
http://go.microsoft.com/fwlink/?LinkID=320624

Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)
http://go.microsoft.com/fwlink/?LinkID=320630

Vulnerability in FrontPage Could Allow Information Disclosure (2825621)
http://go.microsoft.com/fwlink/?LinkId=318021

Vulnerability in Active Directory Could Allow Denial of Service (2853587)
http://go.microsoft.com/fwlink/?LinkID=320666
Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact For home users, no-charge support for security updates (only!) is available by calling 800-MICROSOFT (800-642-7676) in the US or 877-568-2495 in Canada.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA.

Microsoft Security Advisory (2755801)

Update for Vulnerabilities in Adobe Flash Player in Internet Explorer

Published: Friday, September 21, 2012 | Updated: Tuesday, September 10, 2013

Version: 15.0


General Information

Executive Summary

Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Advisory Details

Current Update

Microsoft recommends that customers apply the current update immediately using update management software, or by checking for updates using the Microsoft Update service. Since the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update.
On September 10, 2013, Microsoft released an update (2880289) for Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-21. For more information about this update, including download links, see Microsoft Knowledge Base Article 2880289.

Notes The update for Windows RT is available via Windows Update only.
The update is also available for Internet Explorer 11 Preview in Windows 8.1 Preview and Windows RT 8.1 Preview releases, as well as for Internet Explorer 11 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 releases. The update is available via Windows Update.

http://technet.microsoft.com/en-us/security/advisory...

Note that some of the updates for Office are seriously screwed
http://www.infoworld.com/t/microsoft-windows/microso...
Affected me to the point that a restore using Acronis was needed as the restore point system doesn't work properly with Kaspersky Internet Security

As a Microsoft worldwide mvp for updates I do check before posting these updates that on my system all is in order and logs taken for verification and it's just regretful that some members of the public have found a bug somewhere

It is a on going concern as to why some updates fail in some systems and not others but you can be sure every care and attention to detail is maintained at all times and from myself I apologise for any inconvenience caused

I appreciate that but I think it is unlikely that your system consists of Win 7 64 bit with Office 2003 which is what I have and where the Excel 2003 patch went badly wrong
You personally would not be expected to check across all or most system options but Microsoft should have done

What did seem odd about this update was it was the first time on my system that a Windows update did not start a Restore point event, before the update! None was present. (Running Windows 8 64 bit). Luckily I had another restore point which I used, then installed all the updates other than those I had been warned about.

I hope Windows 8.1 is not full of problems.

I do have most software on my system but it's all up to date IE office 2013 across vista/7/8/only 64bit

all other software fully current across the board so yes with the older software I'm stuck

keep your eye on these threads and hopefully a work around will be along ASAP

http://answers.microsoft.com/en-us/Search/Search?Sea...

we all hope that the new subtle features are successful in the new windows 8.1 build

Thanks for the link - this has now come up http://answers.microsoft.com/en-us/office/forum/offi...

In reply to a post by Oldjim:

Thanks for the link - this has now come up http://answers.microsoft.com/en-us/office/forum/offi...

This has just been posted and will report back here when i have a further update
http://blogs.technet.com/b/office_sustained_engineer...

Must be a nightmare to test them. Millions of different system setups and software setups that you cannot possibly test for all outcomes

In reply to a post by bobble_bob:

Must be a nightmare to test them. Millions of different system setups and software setups that you cannot possibly test for all outcomes

That's very true i have around 500 applications of software on my system which covers most users software and I'm always adding to the list when requested to do so by the public

having said that i do believe that taking time out to keep your system up to date pays dividends overall as is the best practise' their will always be the odd glitch but by following a good forum such as this one none of us should be going far wrong if at all slight delay in getting something corrected maybe and that's about it

I have Windows Update to ask me before installing updates, this way i can check nothing is wrong with the updates before installing them.

In reply to a post by bobble_bob:

I have Windows Update to ask me before installing updates, this way i can check nothing is wrong with the updates before installing them.

yes that's a good idea in most cases

September 2013 Office Update: Targeting and Repeated Offering

1 day ago

byThe Microsoft Office Sustained Engineering Team


Since the shipment of the September 2013 Security Bulletin Release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).

We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.

We have received escalations related to targeting for the following KB's.

MICROSOFT SECURITY BULLETIN MS13-072
�Security Update for Word 2003 (KB2817682)
�Security Update for Office 2003 (KB2817474)
�Security Update for Microsoft Office 2007 suites (KB2760411)
�Security Update for Microsoft Office 2007 suites (KB2597973)
�Security Update for Microsoft Office Word 2007 (KB2767773)
�Security Update for Microsoft Word 2010 (KB2760769)
�Security Update for Microsoft Office 2010 (KB2767913)
�Security Update for Word Viewer (KB2817683)
�Security Update for Microsoft Office 2007 suites (KB2760823)

MICROSOFT SECURITY BULLETIN MS13-073
�Security Update for Excel 2003 (KB2810048)
�Security Update for Microsoft Office Excel 2007 (KB2760583)
�Security Update for Microsoft Excel 2010 (KB2760597)
�Security Update for Microsoft Excel 2013 (KB2768017)
�Security Update for Microsoft Office Excel Viewer 2007 (KB2760590)
�Security Update for Microsoft Office 2007 suites (KB2760588)

Non-Security Updates:
�Update for Microsoft PowerPoint 2010 (KB2553145)
�Update for Microsoft PowerPoint Viewer 2010 (KB2553351)

Please inform us of any other KB's where you are experiencing multiple re-installation offers or missing installations from deployment products.
http://blogs.technet.com/b/office_sustained_engineer...

Edited by NICK_ADSL_UK (Fri 13-Sep-13 22:00:36)

My Start Button has the Updates icon, so it will install the updates it downloaded (yesterday, I think) when I switch off. I'd rather wait a bit, so is there any way to shut down without installing them? There has been in previous versions. It's Win7 Home Premium.

In reply to a post by GeoffB:

My Start Button has the Updates icon, so it will install the updates it downloaded (yesterday, I think) when I switch off. I'd rather wait a bit, so is there any way to shut down without installing them? There has been in previous versions. It's Win7 Home Premium.

yes Geoff
if you go into your control panel you will find the icon windows update open that where you can then customise how you wont to install the monthly updates

Edited by NICK_ADSL_UK (Sat 14-Sep-13 11:51:50)

I thought that, as it had already downloaded, those settings would only apply for the next set of updates. Anyway, if you do a Control-Alt-Delete the screen gives the option to shut down with or without installing the updates. It's on the arrow menu at the side of the shutdown button. It took a bit of finding, but Google came up trumps.

In reply to a post by GeoffB:

I thought that, as it had already downloaded, those settings would only apply for the next set of updates. Anyway, if you do a Control-Alt-Delete the screen gives the option to shut down with or without installing the updates. It's on the arrow menu at the side of the shutdown button. It took a bit of finding, but Google came up trumps.

The most important thing Geoff is to keep up to date at all times. Missing a few days will not harm your OS. most people worldwide use the default setting and let Microsoft do all the updates otherwise the updates wouldn't get installed at all

better to be a few days late with updating then having to hit the forums looking for a fix. don't forget that flash and Java also need careful attention as some of your software and browsing may not function as it should

Edited by NICK_ADSL_UK (Sat 14-Sep-13 16:03:32)

Java has been disabled on my computers for ages. I usually do the Flash Updates manually. As for Windows, I prefer to download and then be prompted to install at my own convenience. I usually wait two weeks after 'Updates Tuesday' and set myself a reminder in my Outlook calendar.

Don't forget to use Belarc Advisor so you can be certain that all updates on your computer have been registered correctly

Belarc Advisor
http://www.belarc.com/free_download.html

Never heard of that software before

Has been around for 10+ years

Extremely useful piece of software. I run it once or twice a year on both PCs and keep a printed copy of the output filed away.

Just great - from Belarc Advisor
These security updates apply to this computer but are not currently installed (using Advisor definitions version 2013.9.12.1), according to the 09/10/2013 Microsoft Security Bulletin Summary and bulletins from other vendors. Note: Security benchmarks require that Critical and Important severity security updates must be installed.

Hotfix Id Severity Description (click to see security bulletin)
KB2760411 Important Microsoft security update (KB2760411)
KB2760588 Important Microsoft security update (KB2760588)
KB2810048 Important Microsoft security update (KB2810048)

But according to my Update history they all are

So uninstalled the updates but according to Windows Update there are no new updates
However they are still there in the successfully installed updates but not in the ones I can remove

Edited by deleted (Mon 16-Sep-13 11:15:23)

In reply to a post by Oldjim:

Just great - from Belarc Advisor
These security updates apply to this computer but are not currently installed (using Advisor definitions version 2013.9.12.1), according to the 09/10/2013 Microsoft Security Bulletin Summary and bulletins from other vendors. Note: Security benchmarks require that Critical and Important severity security updates must be installed.

Hotfix Id Severity Description (click to see security bulletin)
KB2760411 Important Microsoft security update (KB2760411)
KB2760588 Important Microsoft security update (KB2760588)
KB2810048 Important Microsoft security update (KB2810048)

But according to my Update history they all are

So uninstalled the updates but according to Windows Update there are no new updates
However they are still there in the successfully installed updates but not in the ones I can remove

These are the updates this month that are causing a problem in one way or another and as i said earlier in this thread i will post more news when i receive it

In reply to a post by NICK_ADSL_UK:

In reply to a post by Oldjim:

Just great - from Belarc Advisor
These security updates apply to this computer but are not currently installed (using Advisor definitions version 2013.9.12.1), according to the 09/10/2013 Microsoft Security Bulletin Summary and bulletins from other vendors. Note: Security benchmarks require that Critical and Important severity security updates must be installed.

Hotfix Id Severity Description (click to see security bulletin)
KB2760411 Important Microsoft security update (KB2760411)
KB2760588 Important Microsoft security update (KB2760588)
KB2810048 Important Microsoft security update (KB2810048)

But according to my Update history they all are

So uninstalled the updates but according to Windows Update there are no new updates
However they are still there in the successfully installed updates but not in the ones I can remove

These are the updates this month that are causing a problem in one way or another and as i said earlier in this thread i will post more news when i receive it

please note that there is still a glitch with this months Microsoft updates and the Belarc Advisor in some circumstances may not display the updates above correctly at this time

Just arrived in the regular update

Security Update for Excel 2003 (KB2810048)

Installation date: ‎17/‎09/‎2013 10:07

Installation status: Successful

Microsoft Releases Security Advisory 2887505

MSRCTeam

17 Sep 2013 10:00 AM


Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks.

While we are actively working to develop a security update to address this issue, we encourage Internet Explorer customers concerned with the risk associated with this vulnerability, to deploy the following workarounds and mitigations from the advisory:
�Apply the Microsoft Fix it solution, "CVE-2013-3893 MSHTML Shim Workaround," that prevents exploitation of this issue
See Microsoft Knowledge Base Article 2887505 to use the automated Microsoft Fix it solution to enable or disable this workaround.
�Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
�Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

As a best practice, we always encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage customers to exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.

We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our customers.

Thank you,

Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

http://blogs.technet.com/b/msrc/archive/2013/09/16/m...

Good job i dont use IE then. Its a terrible browser, so slow

It is certainly behind other browsers in WebGL stuff, although hopefully 8.1 will level things out...

How can you tell that there are no issues unless you install?