Microsoft has provided their advance notice of patches scheduled to be released on October 9. There is only one CRITICAL patch and six IMPORTANT patches. The one critical patch is specifically applicable the following packages: Microsoft Word on Office 2003sp3, Office 2007sp2 and sp3, Office 2010 (32 and 64bit), Word Viewer, Office Compatibility Pack SP2 and SP3, Microsoft SharePoint server 2010 and Office Web apps sp1. More information will be provided Tuesday as details are made available.
Bulletin #1 – CRITICAL
– Affected Software:
- Microsoft Word 2003 Service Pack 3
- Microsoft Word 2007 Service Pack 2 and
- Microsoft Word 2007 Service Pack 3
- Microsoft Word 2010 Service Pack 1 (32-bit editions)
- Microsoft Word 2010 Service Pack 1 (64-bit editions)
- Microsoft Word Viewer
- Microsoft Office Compatibility Pack Service Pack 2 and
- Microsoft Office Compatibility Pack Service Pack 3
- Microsoft SharePoint Server 2010 Service Pack 1
- Microsoft Office Web Apps 2010 Service Pack 1
– Impact: Remote Code Execution
Update October 9 2:00 pm.
As of Tuesday, October 9, Microsoft has released the October patches. As previously indicated, for the month of October, there are a total of seven patches released for October. One classified as CRITICAL and six classified as IMPORTANT. The CRITICAL vulnerability had not been publicly identified prior to October 9. The one critical vulnerability is could enable Remote Code Execution if exploited.
Critical Vulnerability – MS12-064 – apply to workstations running Office Word viewers and editors as soon as possible.
The vulnerability identified as CRITICAL exists in most supported of Microsoft Word, Office Compatibility Packs, Office Word viewers, Office Web apps, and SharePoint. This vulnerability is identified as MS12-064 – http://technet.microsoft.com/en-us/security/bulletin/ms12-064 As Word content can be easily included in email attachments, (and the vulnerability is now publicly disclosed), it is believed that exploit code will materialize in the near future. For that reason, the AgriLife ISO recommendation is to apply this patch as soon as possible to workstations.
IMPORTANT publicly disclosed vulnerabilities – MS12-066 and MS12-067 – apply to SharePoint Servers with Advance Filter pack enabled as soon as possible
While two of the vulnerabilities had been previously publicly identified, both of the vulnerabilities are classified as IMPORTANT. Those two vulnerabilities apply to HTML Sanitization MS12-066 (http://technet.microsoft.com/en-us/security/bulletin/ms12-066 ) and Fast Search server SharePoint installation, MS12-067 ( http://technet.microsoft.com/en-us/security/bulletin/ms12-067 ). The HTML Sanitization vulnerability is a Elevation of Privilege exploit while the Fast Search server vulnerability is a Remote Code Execution exploit.
As the Fast Search vulnerability specifically applies to SharePoint servers with Advanced Filter pack enabled (Note: Advance Filter pack is DISABLED by default), the AgriLife ISO recommendation is that any SharePoint systems with Advance Filter pack enabled should be patched as soon as possible.
Adobe Flash vulnerability
In addition to the Microsoft patches, Adobe released a patch for a large number of vulnerabilities in Adobe Flash player. All Windows and Macintosh systems with Adobe flash installed should update to version 11.4.402.287 as soon as possible. Additional details on the Adobe Patch are available from http://www.adobe.com/support/security/bulletins/apsb12-22.html