October is turning out to be a busy month for patches. Next week is Patch Tuesday, and both Adobe and Microsoft have published their advance notices, with one and eight bulletins respectively. In addition, on October 15th we are getting the Critical Patch Update from Oracle, which will include a new version for Oracle enterprise software, plus a new version of Java 7.
This month also marks the 10-year anniversary of the Patch Tuesday program, which Microsoft started in October of 2003. Over the past decade, it has become a model implementation of a patch program in both outreach to vulnerability submitters and predictability for IT administrators, who have been dealing with the increasing number of patches for their computer infrastructures. The team at Microsoft is professional and a pleasure to work with when we have implementation questions or need background information on mitigation possibilities.
Nevertheless, Microsoft has had a turbulent two weeks since their security advisory KB2887507, which detailed CVE-2013-3893, a 0-day vulnerability in Internet Explorer that was being used for targeted attacks in Asia. Since then, we have seen research that links the exploit to malware as early as August. There also have been reports of the exploit starting to be used in a more widespread manner by other cybercriminal groups, and its release as a Metasploit module just this week. A workaround (Fix-It) has been available since September 17.
But this situation is now resolved: Bulletin #1 is for Internet Explorer and addresses the recent 0-day. This is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites.
Bulletin #2, #3 and #4 are all critical and address flaws in the Windows operating systems starting at Windows XP and including Windows 8 and Windows RT.
Bulletins #6 and #7 address important vulnerabilities in Microsoft Excel and Microsoft Word. Both seem to be file-format vulnerabilities that provide remote code execution when a file is opened. They should be high on your list of patches as attackers frequently use these vulnerabilities in attachments to well written e-mails that often get opened by the addressed parties.
Bulletin #5 addresses an important vulnerability in Windows Sharepoint Server and will be important, especially if you expose Sharepoint on the Internet.
Bulletin #8 addresses an information disclosure vulnerability in SIlverlight and is the least urgent of the eight patches.
Adobe is releasing a new version of Adobe Reader XI and Acrobat XI running under Windows that addresses a critical vulnerability. As far as they know, the vulnerability is not being used in the wild for any attacks.
Author: Wolfgang Kandek, CTO, Qualys.