Last month, we got a bit of a break as Microsoft issued only four security bulletins and unlike the July and August patches, none of the September patches resulted in widespread problems (those with long memories might recall that the company wasn’t so lucky the previous year, when the September 2013 patches caused numerous reports of problems.
October is traditionally the month for fans of horror stories, so we’re crossing our fingers and hoping this month’s updates won’t bring any Halloween-like surprises. We have a medium-sized slate of patches: nine in all, three of which have been given a severity rating of critical; all of those are remote code execution issues – as are the vast majority of critical patches. One is rated moderate, and the remaining five are classified as important.
Seven of the nine pertain to various versions of Microsoft Windows (with some of those also affected Internet Explorer, .NET and Office). One applies only to Office and Office Web Apps, while the last one is a patch for Microsoft Developer Tools. In additional to the three critical remote code execution vulnerabilities, two of the important bulletins are of the same type, along with three elevation of privilege vulnerabilities and one security feature bypass.
Bulletin 1 is the one that impacts the web browser, and that applies to all currently supported iterations of IE, versions 6 through 11. However, the severity differs depending on the underlying operating system. As usual, the rating is only moderate for IE on server products (Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2), whereas it’s critical on Windows client machines (Vista, Windows 7, Windows 8 and Windows 8.1, as well as Windows RT and RT 8.1). Naturally, this particular update doesn’t apply to the server core installations of Windows Server, since they don’t run a web browser.
The Office products that are affected by this month’s vulnerabilities include Office 2007 SP3, Office 2010 SP 1 and 2, Office for Mac 2011 and the Office Compatibility Pack SP3. SharePoint Server 2010 SP 1 and 2 Word Automation Services and Office Web Apps Server 2010 with or without SP 1 or 2 are affected, also.
Finally, ASP.NET MVC (Model View Controller) developer tool is subject to the vulnerabilities addressed by Bulletin 6, and this includes versions 2.0 through 5.1.
It’s a fairly full slate of patches that’s coming down the pike next week, so be prepared to spend some time on these updates. All of them either definitely do or may require a restart after application, so there will be a little down time involved in the installation process. Check back with us on Patch Tuesday for the full story on the vulnerabilities, and in the meantime if you want more detailed information, you can check out the Advance Notification web page on the Microsoft TechNet site.