Microsoft has released their advanced notification for the upcoming Patch Tuesday.  The October 2012 edition of Patch Tuesday will feature seven security bulletins.  After an extremely light September Patch Tuesday, administrators will be quite busy this month with the number of products that have vulnerabilities being addressed.  One of the security bulletins this month will address a security advisory that Microsoft released back in July.  In addition to the seven Microsoft security bulletins, administrators will need to patch the out-of-band security bulletin that Microsoft released in late September affecting Internet Explorer if they have not done so yet.

Security Bulletin Breakdown:

  • 1 bulletin is rated as Critical
  • 6 bulletins are rated as Important
  • 3 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
  • 1 bulletin addressing vulnerabilities that could lead to Denial of Service

Affected Products:

  • All supported Microsoft operating systems except Windows 8 and Server 2012
  • Microsoft Office 2003, 2007, 2010
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft InfoPath 2007, 2010
  • Microsoft Works
  • Microsoft SharePoint Server 2007, 2010
  • Microsoft FAST Search Server 2010 for SharePoint
  • Microsoft Groove Server 2010
  • Microsoft Windows SharePoint Services 3.0
  • Microsoft SharePoint Foundation 2010
  • Microsoft Office Web Apps 2010
  • Microsoft Communicator 2007 R2
  • Microsoft Lync 2010
  • Microsoft Lync 2010 Attendee
  • Microsoft SQL Server 2000 Reporting Services
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008
  • Microsoft SQL Server 2008 R2
  • Microsoft SQL Server 2012

After administrators get through this Patch Tuesday, they will get to look forward to patching the following week yet again.  Oracle's scheduled Critical Patch Update for Java is scheduled for the week after Patch Tuesday (October 16th, 2012).  Hopefully Oracle will be releasing updates for the known vulnerabilities in Java at that time.

As a friendly reminder (and yes, I have been talking about this way too much), the patch that will invalidate all certificates that are not at least 1024 bits in length will be moving from the Microsoft Download Center to Microsoft's mainstream patching applications (Windows Update, WSUS).  If an organization has not tested this patch with certificates on their network, administrators will need to be on the lookout this month for any issues that could arise with this patch.

I will be going over the October Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wedensday, October 10th at 11:00 a.m. CT.  You can register for this webcast here.

- Jason Miller