Patch Tuesday: Microsoft Security Bulletins For October 2012 Released
For this month’s (October 2012) Patch Tuesday, Microsoft has released a total of seven patches to fix one critical and six important issues found in Windows, Office and some of its other products. If you have set Windows to automatically receive updates, Windows Update must have automatically installed the recommended updates.
“MS12-064 (Microsoft Word): This security update resolves two issues in Microsoft Office. This bulletin has a severity rating of Critical and can result in remote code execution. Only one of the two issues addressed by this bulletin is rated Critical, but in that case, an attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file or previews or open a specially crafted RTF email message,” a Microsoft statement reads.
Security Advisory 2661254
We began discussing this issue in June, and originally released this advisory in August. Today we’re moving the update from being available on the Download Center to distributing it through Windows Update. This is the final step in our move to help folks strengthen their certificates by requiring them to have an RSA key length of at least 1024 bits.
Security Advisory 2749655
The update addresses potential compatibility issues due to a signature timestamp on valid files expiring before it should. This advisory will improve your overall security profile, rather than addressing an issue in a specific product. While there has been no certificate compromise related to this issue, if un-addressed, it could affect your ability to install future updates, including security updates. Dustin Ingalls and Jonathan Ness discuss this issue in further detail on the SRD blog. This update is available through Automatic Updates as well as the Windows Update Catalog and Download Center.
Microsoft Security Bulletin Summary for October 2012 Patch Tuesday
- MS12-064: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319)
This security update resolves two privately reported vulnerabilities in Microsoft Office. The more severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- MS12-065: Vulnerability in Microsoft Works Could Allow Remote Code Execution (2754670)
This security update resolves a privately reported vulnerability in Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- MS12-066: Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517)
This security update resolves a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.
- MS12-067: Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2742321)
This security update resolves publicly disclosed vulnerabilities in Microsoft FAST Search Server 2010 for SharePoint. The vulnerabilities could allow remote code execution in the security context of a user account with a restricted token. FAST Search Server for SharePoint is only affected by this issue when Advanced Filter Pack is enabled. By default, Advanced Filter Pack is disabled.
- MS12-068: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197)
This security update resolves a privately reported vulnerability in all supported releases of Microsoft Windows except Windows 8 and Windows Server 2012. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
- MS12-069: Vulnerability in Kerberos Could Allow Denial of Service (2743555)
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote attacker sends a specially crafted session request to the Kerberos server. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
- MS12-070: Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)
This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability is a cross-site-scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user. An attacker could exploit this vulnerability by sending a specially crafted link to the user and convincing the user to click the link. An attacker could also host a website that contains a webpage designed to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.
If you prioritize updates, Microsoft recommends installing the critical patches first. Microsoft suggests deploying critical security bulletin MS12-064, followed by MS12-066, MS12-067 and MS12-69.
If you are interested in the severity and exploitability index for October 2012 security bulletins, you can see the chart below.
Source: Microsoft Security TechCenter