Microsoft Patches 28 Security Flaws
Microsoft scaled back its October patch event by one on Tuesday, electing to release ten patches. Five patches are intended for Windows, the highest rating of those being critical; four for Office, with the highest rating also being critical; and one moderate patch for the .NET framework.
As is typical with information surrounding Patch Tuesday releases, Microsoft did not specify the nature of the dropped patch.
Altogether across the ten patches, a staggering 28 security issues have been fixed, with a large portion of them yet again coming from the Redmond company's Office productivity suite.
The delivery of those patches may be delayed for some consumers and enterprise customers due to technical difficulties with the update servers delivering the patches. Downloads would be delayed until at least Wednesday for customers using Microsoft Update, Automatic Updates, Windows Server Update Services (WSUS), and Windows Update v6.
"To be clear, it's a delay due to the networking for these systems: there are no issues with the security updates themselves," Craig Gehre of the Microsoft Security Response Center said. "Technical teams are engaged and have been working around the clock to resolve this problem."
Of the critical updates, two are intended for Windows. Both fix remote code execution vulnerabilities - one in XML Core Services and the other in Windows Shell. Of the Office flaws, remote execution issues are fixed in PowerPoint, Excel, Word, and general issues were resolved across the entire suite.
One important flaw was repaired: a Windows Server Service bug that could result in a denial of service issue within the operating system. In both cases a specially crafted network message could either result in a system becoming unresponsive, or in the worst case scenario an attacker could take complete control of the affected system.
Rounding out October's Patch Tuesday were two moderate risk flaws, one in ASP.NET that could allow for information disclosure, and the other in the Windows Object Packager that allows for remote code execution. However, unlike the more severe code execution issues described earlier, in order for the flaw to be exploited, user interaction is required.
Finally, the least serious of the flaws, one rated as low risk, involves several vulnerabilities with the TCP/IP protocol within Microsoft Windows. Microsoft says the worst of the issues could result in a denial of service issue for users.
Security solutions company PatchLink recommended that users and IT departments apply the XML Core Services patch immediately before any of the other issued patches.
"This particular patch should be prioritized above the other critical patches from today because there are no temporary workarounds for this particular vulnerability and an IE exploit could be built that executes remote code simply by viewing a page," PatchLink director of solutions and strategy Don Leatham said.
Leatham recommended that all other patches be applied within 72 hours, especially in light of the multiple issues fixed Tuesday in the Office productivity suite.
"It is very simple to create a link in a web page can entice a user to unknowingly open a malicious Microsoft Office document," he said. "If the user doesn't have their Microsoft IE security set to 'high' they can end up automatically opening a Word, Excel or PowerPoint document that can allow an exploit run on their computer."