Lone Critical Fix in Light October Security Update
Microsoft will be rolling out one "critical" and six "important" bulletins for October's security update, planned for Tuesday. The lone critical fix will affect Microsoft Office and Microsoft Server Software, and will address a reported remote code execution flaw.
Marcus Carey, security researcher at Rapid7, provided some more details on the critical fix:
"Bulletin 1, marked as critical, is a vulnerability in Microsoft Office 2003, 2007, and 2010 as well as Word Viewer and Microsoft Office Web Apps," said Carey in an e-mail. "This vulnerability required a victim to open up a malicious file or even preview a malicious file in Outlook Web Access. This vulnerability could result in the complete compromise of a system if exploited. Since this is an Office vulnerability this may affect both Windows and Macintosh users."
The six important items will take care of remote code execution, elevation of privilege and denial of service flaws found in Microsoft Office, Lync, Windows and Microsoft SQL Server.
Many security experts are suggesting that IT's focus should be on Microsoft's changing certificate encryption -- a change Microsoft has been alerting the public to for the past few months.
As we've been saying for the last several Patch Tuesdays, Microsoft is pushing out a patch that will break any encryption that is less than 1024-bit," said Paul Henry, security and forensic analyst at Lumension. "This patch has been optional since August and we hope you've taken the time to test it and patch it. It will no longer be an option starting on Tuesday. There are still a few days left if you haven't tested it, but don't let this be an 'I told you so' moment."
Specific details on the seven bulletin items will be available once the security update is released.