The critical update addresses a vulnerability that would allow remote code execution via Microsoft Office 2003, 2007 and 2010. It is not clear so far whether Office for Mac is affected: Wolfgang Kandek at Qualys says not; Marcus Carey, security researcher at Rapid7, speculates that “since this is an Office vulnerability [it] may affect both Windows and Macintosh users.”
According to SANS, the vulnerability also affects Microsoft Sharepoint and Microsoft Office Web Apps. “This vulnerability required a victim to open up a malicious file or even preview a malicious file in Outlook Web Access,” says Carey, adding that it “could result in the complete compromise of a system if exploited.” This particular patch should therefore be applied as soon as possible.
The remaining six bulletins are labeled ‘important’. These, summarizes SANS, “are affecting Office (and Sharepoint). Two patches affect Windows and one patch affects SQL Server.”
“Three of them,” adds Kandek, “affect components of the Office family but will only affect a subset of all organizations, as they are probably not very often installed.” Bulletin 2 patches remote code execution in Works 9; bulletin 3 addresses Infopath and Sharepoint; bulletin 4 is an update to Fast Search for Sharepoint; and bulletins 5 and 6 are local privilege elevation vulnerabilities for Windows “that,” comments Kandek, “can be used to gain administrative privileges – but would require an attacker to be already present on the machine.” Bulletin 7 is an update for all versions of MS-SQL Server and similarly addresses a local privilege escalation vulnerability.
All in all, an average Patch Tuesday for October. But Carey adds another warning note. “Microsoft will also be issuing an update this Tuesday that will deprecate the use of certificates that are less than 1024 bit encrypted. This could result in headaches for organizations who still have legacy certificates in production. This weekend will be the last weekend to clean up legacy certificates before next Tuesday.”