Microsoft Security Bulletins For October 2012 Released

Martin Brinkmann
Oct 9, 2012
Security, Windows
|
6

Microsoft released an out-of-band security update for Internet Explorer 10's integrated Flash Player yesterday which updated the version of Flash to the latest version. This time, in time and not weeks after every other browser received the updated. Seems that the company has changed the deployment strategy in regards to the built-in version of Flash: great.

Security updates for various Microsoft products have been released today as part of this month's patch Tuesday. Products include Microsoft Office, Microsoft Windows, Server Software and Microsoft SQL Server. One of the bulletins released today has a maximum severity rating of critical, the highest possible rating, the remaining six one of important, the second highest rating. The rating means that at least one version of an affected product has received the severity rating, while others may have been given the same or a lower rating.

  • MS12-064 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319) - This security update resolves two privately reported vulnerabilities in Microsoft Office. The more severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-065 - Vulnerability in Microsoft Works Could Allow Remote Code Execution (2754670) - This security update resolves a privately reported vulnerability in Microsoft Works. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Word file using Microsoft Works. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS12-066 - Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517) - This security update resolves a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.
  • MS12-067 - Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2742321) - This security update resolves publicly disclosed vulnerabilities in Microsoft FAST Search Server 2010 for SharePoint. The vulnerabilities could allow remote code execution in the security context of a user account with a restricted token. FAST Search Server for SharePoint is only affected by this issue when Advanced Filter Pack is enabled. By default, Advanced Filter Pack is disabled.
  • MS12-068- Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2724197) - This security update resolves a privately reported vulnerability in all supported releases of Microsoft Windows except Windows 8 and Windows Server 2012. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
  • MS12-069 - Vulnerability in Kerberos Could Allow Denial of Service (2743555) - This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote attacker sends a specially crafted session request to the Kerberos server. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
  • MS12-070 - Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849) - This security update resolves a privately reported vulnerability in Microsoft SQL Server on systems running SQL Server Reporting Services (SSRS). The vulnerability is a cross-site-scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the SSRS site in the context of the targeted user. An attacker could exploit this vulnerability by sending a specially crafted link to the user and convincing the user to click the link. An attacker could also host a website that contains a webpage designed to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

Updates are already available on Windows Update. If you have been working on your PC today, you may need to click on the check for updates link to force Windows to check for new updates for the operating system.

microsoft windows updates october 2012

Updates are not yet available on Microsoft's Download Center, but that will certainly happen in the next couple of hours. There you will also find the monthly security ISO image when it gets released.

As far as deployment goes, Microsoft suggests the following course of actions. Microsoft suggests to start with the deployment of the only critical security bulletin MS12-064, followed by the deployment of bulletins MS12-066, MS12-067 and MS12-69 in that order.

bulletin deployment priority october 2012

And here is the severity and exploitability index for October's bulletins.

microsoft severity rating october 2012

It is also important to note Microsoft is making the minimum certificate key length update available via Windows Update today.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Q said on November 6, 2012 at 9:55 pm
    Reply

    No we do not download themes. This seems to be happening on our Citrix servers ever since installing the following patch: KB2553488.

  2. Una said on November 6, 2012 at 9:51 pm
    Reply

    Are you producing your style only, or even downloading it
    from ThemeForest?

  3. Q said on November 1, 2012 at 5:56 pm
    Reply

    Hello, has anyone experienced issue with KB2553488 and double spacing with MS word documents?

  4. ilev said on October 10, 2012 at 7:31 am
    Reply

    None of these security holes has been found by Microsoft security team.

  5. Paul(us) said on October 10, 2012 at 5:22 am
    Reply

    18 updates this mouth for me Martin. Thanks for the clarification what the updates are fore and what they doing, again.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.