Security update: Light Microsoft Patch Tuesday with low application impact plus critical Adobe fixes

Microsoft's September Patch Tuesday security update is relatively light with only five security updates.

Microsoft's September Patch Tuesday security update is relatively light with only five security updates.

However, Microsoft also released an update (KB2616676) that continues the saga of recent stolen DigiNotar certificates.

The update revokes certificates signed by two certificate authorities (CAs) - Entrust and Cybertrust - which issued certificates on behalf of DigiNotar.

At the end of August it emerged that hackers had broken into DigiNotar and created fake certificates for sites including Google, Facebook, Skype and other companies.

Microsoft (KB2607712), Mozilla, Opera and Apple released an update to revoke the certificates. On 6 September, Microsoft updated 2607712 for Windows XP and Server 2003, which do not use the Microsoft Certificate Trust List to validate the trust of a CA.

The latest update from Microsoft will revoke six more certificates issued by Entrust and Cybertrust on behalf of DigiNotar and will replace 2607712, said Wolfgang Kandek, chief technology officer at security firm Qualys.

"We will continue to monitor the other suppliers as they implement these changes and will update this blog as they occur," he said.

Top priorities

Out of the September Patch Tuesday bulletins, Kandek says top priority should be given to MS11-072, which fixes an arbitrary code execution vulnerability in Excel. It affects all versions of Excel, including the most recent 2010 version.

To exploit this issue, attackers could create malicious Excel files, which, when opened on vulnerable hosts, can take control of the system, warned Kandek.

Priority should also be given to MS11-073, which fixes a code execution vulnerability in Microsoft Office versions 2003, 2007 and 2010, including Microsoft Word, he said. Attackers could use a malicious word file (CVE-2011-1982) to execute code on victims' machines.

A DLL preloading issue was fixed in MS11-071 which affects the deskpan.dll component and affects all versions of Windows. Two elevation of privilege issues were fixed by MS11-074 and MS11-070 which affect Sharepoint 2007, Sharepoint 2010 and WINS for Windows Server 2003, Server 2008 respectively.

No compatibility issues

Due to the relatively light Patch Tuesday, Microsoft's monthly security update will have only a moderate impact on IT operations, with no serious application compatibility issues expected, according to Greg Lambert, chief technical architect at ChangeBase.

"As part of the Patch Tuesday Security Update analysis performed by the ChangeBase AOK team, we have seen very little cause for potential compatibility issues," he said.

But given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released.

ChangeBase reports that only MS11-070 and MS11-073 were rated as having a potentially fixable application impact when tested using ChangeBase's AOK Application Compatibility Lab's test portfolio of over 1,000 applications. No compatibility issues were detected for any of the remaining three updates.



Adobe updates

In addition to Microsoft Patch Tuesday, Adobe released security update APSB11-24 which fixes critical vulnerabilities in Adobe Reader and Acrobat.

Adobe Reader X (10.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier versions for Unix, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system, said Kandek.

Read more on IT risk management