For the October 2012 edition of Patch Tuesday, Microsoft is getting back to a normal release size with seven new security bulletins addressing 20 vulnerabilities. September’s Patch Tuesday was quite a light month with only one security bulletin being released by Microsoft and hopefully IT admins had enough time to test out the non-security update addressing digital certificates less than 1024 bits in length (security advisory 2661254). Luckily, this is probably the last time I will be talking about this non-security update as it has been released to the general patching channel (Microsoft WSUS and Windows Update).
The first bulletin administrators should look at patching is MS12-064. This security bulletin addresses a critical vulnerability in Microsoft Word where an attacker can gain remote code execution if a user opens a malicious RTF document with an unpatched system.
It is important to note that Outlook 2007 uses Word as the default email viewer. RTF documents are typically not blocked by company email servers. Also, RTF documents, like PDF documents, are commonly used for sharing documents between different companies.
An interesting note about MS12-067, this is the second time this year we have seen Microsoft release a security bulletin for vulnerabilities that exist in Oracle’s software. Microsoft SharePoint servers with FAST Search 2010 use Oracle’s Outside In libraries code in their product. We could be seeing different software vendors working more closely on security vulnerabilities in shared software code.
To that point, Microsoft re-released their security advisory for Adobe Flash Player yesterday. Security Advisory 2755801 provides an update to Adobe Flash Player that is bundled within Internet Explorer 10. The latest version of Internet Explorer has taken the same route that Google has done with their Chrome browser for some time by bundling Adobe Flash with the installation. Adobe released an update for Flash (APSB12-22) addressing multiple critical vulnerabilities and all three vendors (Adobe, Microsoft and Google) worked together on a coordinated release.
As with any Patch Tuesday, it is important to also look for non-Microsoft vendors releasing updates. With a coordinated release, administrators should be aware there is more to be concerned with than just Microsoft security bulletins.
On the non-Microsoft front, Mozilla released updates for their products. Mozilla Firefox and Thunderbird 16 are new security updates addressing quite a few critical vulnerabilities. Although I am only calling out one Microsoft security bulletin to be patched as soon as possible, there are quite a few products (Microsoft and non-Microsoft) that also need to be patched this month. Be sure to plan for extra time to get all of the patches fully deployed to your systems.
I will be going over the October Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webast. This webcast is scheduled for tomorrow, October 10th at 11:00 a.m. CT. You can register for this webcast here.
– Jason Miller