Microsoft has just provided advance notice of the patches that are scheduled to be released for October. There are a total of nine patches scheduled to be released. Three of which are identified as CRITICAL and the remaining patches classified as IMPORTANT (five) or MODERATE (only 1). Bulletin #1 applies to all current workstation versions of Internet Explorer and is classified as CRITICAL. The bulletin is classified as MODERATE for Server Operating Systems that don’t only have SERVER CORE installations. Bulletins #2 and #3 are also designated as CRITICAL but that designation is applied to Server Operating Systems installations in addition to Workstation operating systems (even if server core only installations were performed).
Additional details will be made available on Tuesday, after the patches have been released.
Update Oct 14 1:00 p.m
Microsoft has just released the patches for October for download. Microsoft had initially indicated nine patches were scheduled to be released, however as of 10/14, only eight are listed on the October patch announcement page – https://technet.microsoft.com/library/security/ms14-oct . It would appear the one identified as MODERATE has not been published.
Bulletin #1 for Internet Explorer includes fourteen privately reported vulnerabilities. No resources normally used indicated any of the Internet Explorer vulnerabilities had been identified publically previously. At least one of the most severe of the Internet Explorer vulnerabilities enable remote code execution if successfully exploited. While not publically reported, notes from Microsoft indicate they are aware of targeted attacks for the Internet Explorer vulnerabilities.
Bulletin #2 for .NET frame work includes three privately reported vulnerabilities. At least one of the most severe of the .NET framework vulnerabilities enable remote code execution if successfully exploited.
Bulletin #3 for Kernel mode drivers include two privately reported vulnerabilities. At least one of the most severe of the kernel mode driver vulnerabilities enable remote code execution if successfully exploited. Resources other than Microsoft indicated that this vulnerability is currently being exploited in limited attacks.
The remaining bulletins are classified as IMPORTANT and could either enable Remote Code Execution or Elevation of Privilege if successfully exploited.
The overall recommendation by the AgriLife IT ISO is to apply the Internet Explorer patch (bulletin #1) to all workstations as soon as possible and apply the .NET frame work patch (bulletin #2) to all server systems following adequate testing.
Also, Adobe is releasing a patch for Flash. The updated version is 22.214.171.124, additional details are available at http://helpx.adobe.com/security/products/flash-player/apsb14-22.html
Adobe has assigned a critical rating to these vulnerabilities and recommends that the flash update be applied as soon as possible.
Additionally, Oracle is releasing its quarterly Critical Patch update on October 14. It will include new versions of Java 8 and also Java 7. The new versions address twenty-five significant vulnerabilities (rated at 10.0 using CVSS scoring). Twenty-two of which could be remotely exploited without authentication. Websites will likely be deployed in the near future that attempt to exploit these vulnerabilities for Java Desktop installations.
It is recommended that all Java desktop installations be updated as soon as possible. As the Oracle patches are still listed in prerelease, version numbers for updated java are not yet available. The following URL will be updated by Oracle when the patches are released publically – http://www.oracle.com/technetwork/topics/security/alerts-086861.html