Every second Tuesday in a month is patch day over at Microsoft. What does it mean? Microsoft pushes out all security patches of a month on that day to all users of their Windows operating systems and other applications like Microsoft Office. Only highly critical vulnerabilities receive out of band security patches.
This month's patch day is huge. While it is not the largest in history, it addresses the impressive amount of 49 vulnerabilities affecting Windows, Internet Explorer, Microsoft Office and the .net framework.
Looking at the number and type of updates this month, we have a fairly standard number of bulletins affecting products like Windows and Office. This month we also have a few bulletins originating from product groups that we don't see on a regular basis. For example, SharePoint, the Microsoft Foundation Class (MFC) Library (which is an application framework for programming in Windows), and the .NET Framework. It's worth noting that only six of the 49 total vulnerabilities being addressed have a critical rating. Further, three of the bulletins account for 34 of the total vulnerabilities. (via)
Severity and Exploitability
Four of the vulnerabilities have a maximum severity rating of critical, 10 of important and the remaining 2 of moderate.
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted OpenType font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs specially crafted code that sends an LPC message to the local LRPC Server. The message could then allow an authenticated user to access resources that are running in the context of the NetworkService account. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
The patches are as usual available via Windows Update and Microsoft Download. Microsoft has furthermore released the October 2010 Security Release ISO Image containing all references security patches and Knowledgebase articles.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.