Microsoft will release a patch addressing 13 vulnerabilities (eight of them marked as ‘critical’ and five of them marked as ‘important’) tomorrow for the month of October, 2009.
According to the Microsoft Security Response Center, Microsoft will issue 13 Security Bulletins on Tuesday, and it will host a webcast to address customer questions about the bulletin the following day (October 14 at 11:00am PST, if you’re interested). Eight of the vulnerabilities are rated “Critical,” and the other five are marked as “Important.” All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least six of the 13 patches will require a restart.
The list of affected operating systems includes Windows 2000, Windows XP (x86 and x64), Windows Server 2003 (x86 and x64), Windows Vista (x86 and x64), Windows Server 2008 (x86 and x64), Windows 7 (x86 and x64), and Windows Server 2008 R2 (x86 and x64). This is the first Patch Tuesday where Microsoft is releasing patches for Windows 7 and Windows Server 2008 R2.
In terms of the Microsoft Office suites, Office XP, Office 2003, Office 2007, Office Groove 2007, Office Project 2002, Word Viewer, Excel Viewer, PowerPoint Viewer, Visio Viewer, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Expression Web, and Microsoft Works are affected. In addition, SQL Server 2000, SQL Server 2005, Silverlight 2, Visual Studio .NET 2003, Visual Studio 2005, Visual Studio 2008, Visual FoxPro 8.0, Visual FoxPro 9.0, Microsoft Report Viewer 2005, Microsoft Report Viewer 2008, Microsoft Platform SDK Redistributable, and Microsoft Forefront Client Security 1.0 are vulnerable.
For those wondering, yes, Microsoft is patching the Server Message Block 2 (SMB2) protocol flaw disclosed in September 2009, which affects Windows Vista and Windows Server 2008. This is separate from the “Fix it” links for the SMB2 flaw released two weeks ago; this patch will completely fix the problem as opposed to disabling the protocol (once you’ve patched, you should re-enable it if you disabled it originally).
The exact breakdown of the bulletins is as follows:
* Bulletin 1: Critical (Remote Code Execution), Windows
* Bulletin 2: Critical (Remote Code Execution), Windows
* Bulletin 3: Critical (Remote Code Execution), Windows
* Bulletin 4: Critical (Remote Code Execution), Windows
* Bulletin 5: Critical (Remote Code Execution), Windows, Internet Explorer
* Bulletin 6: Critical (Remote Code Execution), Windows
* Bulletin 7: Important (Spoofing), Windows
* Bulletin 8: Important (Remote Code Execution), Windows
* Bulletin 9: Important (Elevation of Privilege), Windows
* Bulletin 10: Important (Denial of Service), Windows
* Bulletin 11: Critical (Remote Code Execution), Office
* Bulletin 12: Critical (Remote Code Execution), Windows, Silverlight
* Bulletin 13: Critical (Remote Code Execution), Windows, Office, SQL Server, Developer Tools, Forefront
Along with these patches, Microsoft is also planning to release the following on Patch Tuesday:
* One or more nonsecurity, high-priority updates on Windows Update (WU) and Windows Server Update Services (WSUS)
* One or more nonsecurity, high-priority updates on Microsoft Update (MU) and WSUS
* An updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Microsoft Download Center
This information is subject to change by Patch Tuesday; Microsoft has been known to rush patches as well as pull them if it deems it necessary.
