News

1 'Critical' Item and 2 Advisories in Microsoft's October Security Update

• By Chris Paoli
• 10/09/2012

For the second month in a row, Microsoft is releasing an uncharacteristically light security update.

This month's offering includes only one "critical" bulletin for Microsoft Office and Microsoft server software. In addition, there are six "important" bulletins in the update. A couple of security advisories also are of note this month.The critical item (bulletin MS12-064) addresses two privately reported flaws that could lead to a remote code execution (RCE) attack if gone unpatched. Someone taking advantage of the vulnerability could gain the same user rights as the target if a malicious RTF file is opened or previewed.

While this vulnerability hasn't been seen exploited in the wild yet, the simple nature of the flaw likely may mean attackers soon will start developing exploits, according to Wolfgang Kandek, CTO of security firm Qualys Inc., in an e-mail.

"Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible," said Kandek.

Important Items
This month's Microsoft patch rollout also includes the following six "important" updates:

• MS12-065: This bulletin fixes an issue where a specially crafted Microsoft Word file opened in Microsoft Works can lead to an RCE attack.
• MS12-066: This item addresses a publicly disclosed flaw in Microsoft Office, Microsoft Communications Platforms, Microsoft server software and Microsoft Office Web Apps. If left unpatched, an attacker could gain elevation of privilege if malicious content is downloaded and opened.
• MS12-067: This item fixes a publicly disclosed RCE flaw in Microsoft FAST Search Server 2010 for SharePoint.
• MS12-068: All versions of Windows (minus Windows 8 and Windows Server 2012) are affected by this elevation of privilege fix that takes care of a flaw in the Windows kernel.
• MS12-069: Rated important for Windows 7 and Windows Server 2008 R2, this item blocks a denial-of-service attack that could occur if a malicious session request is sent to the Kerberos server.
• MS12-070: The final important item of the month takes care of a cross-site-scripting (XSS) vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). If left unpatched, this flaw could lead to an elevation of privilege attack.

Microsoft Security Advisories
IT pros should watch for two security advisories this month. Along with this month's patch rollout, Microsoft has released a new advisory aimed at addressing compatibility issues with signed Microsoft binaries. Microsoft is also changing the previously optional Security Advisory 2661254 into a mandatory download -- an update that restricts the use of certificates with RSA keys of less than 1024 bits in length. The download will now be pushed through Windows Update (it was previously only available from the Microsoft Download Center).

The new item, Security Advisory 2749655, fixes an issue in which digital certificates were being generated without correct time stamps in all versions of Windows and Windows Server.

According to Microsoft, "these digital certificates were later used to sign some Microsoft core components and software binaries. This could cause compatibility issues between affected binaries and Microsoft Windows. While this is not a security issue, because the digital signature on files produced and signed by Microsoft will expire prematurely, this issue could adversely impact the ability to properly install and uninstall affected Microsoft components and security updates."

Those with automatic updating enabled will have this downloaded automatically.