News

1 'Critical' Item and 2 Advisories in Microsoft's October Security Update

For the second month in a row, Microsoft is releasing an uncharacteristically light security update.

This month's offering includes only one "critical" bulletin for Microsoft Office and Microsoft server software. In addition, there are six "important" bulletins in the update. A couple of security advisories also are of note this month.The critical item (bulletin MS12-064) addresses two privately reported flaws that could lead to a remote code execution (RCE) attack if gone unpatched. Someone taking advantage of the vulnerability could gain the same user rights as the target if a malicious RTF file is opened or previewed.

While this vulnerability hasn't been seen exploited in the wild yet, the simple nature of the flaw likely may mean attackers soon will start developing exploits, according to Wolfgang Kandek, CTO of security firm Qualys Inc., in an e-mail.

"Since the development complexity of an attack against this vulnerability is low, we believe this vulnerability will be the first to have an exploit developed and recommend applying the MS12-064 update as quickly as possible," said Kandek.

Important Items
This month's Microsoft patch rollout also includes the following six "important" updates:

  • MS12-065: This bulletin fixes an issue where a specially crafted Microsoft Word file opened in Microsoft Works can lead to an RCE attack.
  • MS12-066: This item addresses a publicly disclosed flaw in Microsoft Office, Microsoft Communications Platforms, Microsoft server software and Microsoft Office Web Apps. If left unpatched, an attacker could gain elevation of privilege if malicious content is downloaded and opened.
  • MS12-067: This item fixes a publicly disclosed RCE flaw in Microsoft FAST Search Server 2010 for SharePoint.
  • MS12-068: All versions of Windows (minus Windows 8 and Windows Server 2012) are affected by this elevation of privilege fix that takes care of a flaw in the Windows kernel.
  • MS12-069: Rated important for Windows 7 and Windows Server 2008 R2, this item blocks a denial-of-service attack that could occur if a malicious session request is sent to the Kerberos server.
  • MS12-070: The final important item of the month takes care of a cross-site-scripting (XSS) vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). If left unpatched, this flaw could lead to an elevation of privilege attack.

Microsoft Security Advisories
IT pros should watch for two security advisories this month. Along with this month's patch rollout, Microsoft has released a new advisory aimed at addressing compatibility issues with signed Microsoft binaries. Microsoft is also changing the previously optional Security Advisory 2661254 into a mandatory download -- an update that restricts the use of certificates with RSA keys of less than 1024 bits in length. The download will now be pushed through Windows Update (it was previously only available from the Microsoft Download Center).

The new item, Security Advisory 2749655, fixes an issue in which digital certificates were being generated without correct time stamps in all versions of Windows and Windows Server.

According to Microsoft, "these digital certificates were later used to sign some Microsoft core components and software binaries. This could cause compatibility issues between affected binaries and Microsoft Windows. While this is not a security issue, because the digital signature on files produced and signed by Microsoft will expire prematurely, this issue could adversely impact the ability to properly install and uninstall affected Microsoft components and security updates."

Those with automatic updating enabled will have this downloaded automatically.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Ending Three Certifications in June

    Microsoft announced plans on Thursday to end three certification programs on June 30, 2020, and that separate exams for Windows Server 2019 and SQL Server 2019 won't be available.

  • Microsoft To Bring Cortana Changes in Spring Windows 10 Update

    Microsoft plans to update the user experience associated with its Cortana personal assistant software with the coming spring feature update of Windows 10, according to a Friday announcement.

  • What It's Like To Work on the Moon (Without Actually Going to the Moon)

    Brien's lunar training often puts him in situations where where gravity, as we Earthlings know it, doesn't exist.

  • New Edge Browser Getting Ability To Block Unwanted Apps

    The new Chromium-based Microsoft Edge browser is getting the ability to block potentially unwanted applications (PUAs), Microsoft announced on Thursday.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.