Microsoft released eight patches this October Patch Tuesday – four critical and four important. The vulnerabilities in IE have been patched thankfully and the bulk of the October issues do not impact the current code base. Paul Henry, security and forensics analyst at Lumension, provides more on the updates.
Click through for a rundown of October’s Microsoft Patches, provided by Paul Henry, security and forensics analyst, Lumension.
Microsoft has addressed 27 CVEs this month. Many people will be happy to see MS13–080, a critical patch for 10 vulnerabilities in Internet Explorer 6 through 11. There are two known attacks underway so the IE patch should be your priority number one. This patches CVE-2013-3893, a zero day vulnerability Microsoft wrote about in Security Advisory 2887505 September 17.
MS13-081 patches seven privately reported vulnerabilities in Microsoft Windows kernel mode driver and should be your second priority. This also has a critical rating but there are no known active attacks.
Third on your list of priorities is MS13–083, a critical patch for Windows Common Control Library across all platforms except Windows Server 2012 R2 and Windows RT 8.1 and addresses one privately reported vulnerability that could allow for a remote code execution. There are no known active attacks.
MS13-082 is the last of the critical patches and it addresses what could be a remote code execution in Windows and the .NET framework across all platforms except Windows Server 2012 R2 and Windows RT8.1.
The remaining bulletins are rated important and should be prioritized based upon your specific usage of the affected software.
MS13-084 is an important patch for Sharepoint 2007, 2010 and 2013. It’s a remote code execution vulnerability and handles an issue in Microsoft Office, Microsoft Server Software for Excel and Word Services.
MS13-085 patches two privately reported vulnerabilities in Microsoft Excel that could allow for a remote code execution. MS13-086 also patches two privately reported vulnerabilities that could allow a remote code execution but this one is for Word. Lastly, we have MS13-087. One privately reported vulnerability in Silverlight that could allow information disclosure is patched in this one; no active attacks are known.
Microsoft has also revised Security Advisory 2862973 – an Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program that will roll out in February so test and plan accordingly. (http://technet.microsoft.com/en-us/security/advisory/2862973)
Also top of mind this patch Tuesday is the breach at Adobe that may have revealed both customer information (including credit card data) and source code for Adobe products. Reportedly, account data including customer ID’s as well as encrypted passwords for 2.9 million users were stolen. Brian Krebs and Alex Holden first reported they discovered a 40 GB source code trove stashed on a server that included code for ColdFusion and Acrobat. Unfortunately, we have seen zero-day exploits in Adobe products on a regular basis and now with source code available for cyber criminals, we can expect to see an increase in Adobe-related zero-day issues for the foreseeable future.