After September’s update that only contained four patches, Microsoft has returned to the routine of “Big Patch Tuesdays”, with it’s October security instalment containing ten security advisories of which six are rated critical. In the ten patches provided Microsoft fixes a record twenty-six vulnerabilities, of which nineteen are critical in nature and could be exploited remotely. IT manager might be happy to know that initially Microsoft was planning to release a total of eleven patches, but one of them did not pass quality control testing and was held back. However, the job of installing more than two-dozen fixes is going to be challenging for any IT professional running a large network.
The six critical bulletins fix flaws in Windows and the Office package, and some of the vulnerabilities addressed have already been exploited in the wild or have had proof-of-concept code released. Of the six patches four deal with problems in Microsoft Office, including vulnerabilities in Excel and Word that have been publicly known for at least a month. The other two patches fixed flaws in Microsoft PowerPoint and general problems in the Microsoft Office suite.
Two further critical bulletins were related to problems in Microsoft Windows. One of these problems in Windows Shell was already being publicly exploited, as confirmed not only by the security community but also by Microsoft itself. The other vulnerability in XML core services has not been publicly disclosed, but has the scope to become a very important problem if not patched as soon as possible.
The rest of the vulnerabilities, seven in total across four bulletins, received ratings between Important and Low. The two that are rated Important were found in the Server Services component of Windows and could lead to denial of service attacks. Of the two “Moderate” bulletins one fixed a flaw in .Net Framework 2.0 that could lead to spoofing and information disclosure, while another addressed an issue in Windows Object Packager that could lead to remote code execution, but only after “significant user interaction”, which prompted the low security rating. The other three vulnerabilities were all rated as “Low” in terms of severity and were found in TCP/IP and were bundled into a single bulletin.
Straight after release on October 10 these updates were not available via the automatic distribution channels Microsoft usually provides due to “some network issues”. However, the problem was later corrected, and users could access the patches via Microsoft Update and Automatic Updates service. Given the “critical nature” of most of the bulletins and the fact that several of the vulnerabilities fixed have already been exploited users are recommended to update immediately either via the automatic update route or manually from Microsoft TechNet.
No comments:
Post a Comment