Microsoft has queued up fixes for 23 vulnerabilities, but IT administrators will have just a few critical flaws to deal with in a fairly light Patch Tuesday on Oct. 11.
Microsoft plans to patch 23
vulnerabilities in Microsoft Windows, Silverlight and server software as part
of the October Patch Tuesday release.
Microsoft will release eight
security bulletins, of which two are rated "critical," according to
the Microsoft Security Bulletin Advance Notification issued Oct. 6. The
remaining important bulletins address flaws in Forefront Unified Access
Gateway, Host Integration Server as well as some versions of Windows.
One of the critical
bulletins patches a bug in Windows and Internet Explorer that if exploited
would allow attackers to remotely spread malicious code, Microsoft said.
Affected software versions include Internet Explorer 6 through 8, Windows XP,
Vista and 7, as well as Windows Server 2003 and 2008.
"As usual, this month
we will receive the mandatory critical update to Internet Explorer,"
Andrew Storms, director of security for nCircle, told eWEEK.
Attackers will continue to
trick users into clicking on malicious links, so they will continue exploring
Web browsers and plug-ins for weaknesses to exploit, Marcus Carey, security
researcher at Rapid7, told eWEEK.
"My standard advice is
to be careful when browsing," Carey said.
The other critical bulletin
fixes a bug present in .NET and Silverlight. It "looks very close" to
a bug patched in June that allows remote code execution in both frameworks,
according to Carey. He noted that the implications would most likely mirror
MS11-039 in that attackers can launch server and client-side attacks through
.NET and Silverlight applications.
When bugs are disclosed in a
product, exploit developers often look for similar issues within the product
that result in the same type of vulnerabilities, Carey said.
The bugs "could provide
a good hunting ground for malware authors," Storms said.
One of the bulletins fixing
bugs in Microsoft Forefront Unified Access Gateway 2010 was
"interesting" to Carey because of the fact that it was found in the
"No one wants to hear
that software that is designed for security is vulnerable to remote code
execution," Carey said. Attackers will likely look at this bulletin and
related vulnerabilities closely, and organizations should keep an eye out for
any suspicious activity on servers running Forefront, he added.
Nearly all the patches in
this bulletin require a restart, which will "cause widespread disruptions
across both Internet connected servers and user community desktops," Paul
Henry, security and forensic analyst for Lumension, told eWEEK.
As for the release's size,
Storms said it was as expected. "It's significantly less than October 2010
when we were treated to 16 bulletins that patched a whopping 49 vulnerabilities,"
Microsoft is also expected
to release an updated version of the Malicious Software Removal Tool as part of
the Patch Tuesday release to address the issue where Microsoft Security
Essentials and Forefront were accidentally flagging Google's Chrome Web browser
as malicious and erasing it from Windows systems.
Along with the advance
notification, Microsoft released Service Pack 3 for Office 2007 and SharePoint
2007, which includes a roll up of previously patched issues as well as newly
Microsoft is scheduled to
distribute the October Patch Tuesday updates Oct. 11.