The buzz around the security community was not about the fixes themselves, but about Microsoft’s inadvertently publishing the complete bulletins on Friday without the actual patches being available.
Andrew Storm, director of security operations for nCircle, said of the gaffe: “I don’t remember this ever happening.” Wolfgang Kandek, chief technology officer at Qualys, downplayed the mistake: “While the information is interesting and certainly helpful for us…I don’t believe there is any heightened security risk with the early exposure.”
Microsoft scrambled to fix the mistake and pulled the bulletins. In a Sept. 9 tweet, the Microsoft Security Response Team admitted to the slip: “Some of you may have seen an early peek at Tuesday’s draft bulletin text, we’ve since removed the content.”
Perhaps Microsoft was just trying to create some buzz around a rather lackluster Patch Tuesday announcement. Microsoft is planning to fix 15 security flaws, none of which is rated “critical".
Storm said that the September Patch Tuesday was a “little odd” because only two of the five bulletins apply to operating system components; the other three are application-specific.
“This is such a light patch month that some organizations may only need to install two patches, depending on the applications they use”, Storm said. He warned that October traditionally is a “big patch month”.
Top priority in the update should be given to remote code execution Microsoft Office patches that affect Excel 2003 through Excel 2010 and Office 2003 through Office 2010, advised Amol Sarwate, vulnerability labs manager for Qualys. Another high priority is the Windows patch that fixes a remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003, and Windows 2008, he added.
Marcus Carey, security researcher and community manager at Rapid7, warned organizations against a “false sense of security” and “complacency” over the light patch load.
“While ‘important’ vulnerabilities may not give attackers the full root privileges generally associated with ‘critical’ vulnerabilities, an attacker can use an ‘important’ rated vulnerability to achieve an initial compromise and then escalate privileges by other means”, Carey said.
“By using an ‘important’ vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organizations understand that all five of these ‘important’ bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly”, he added.