Collaboration

It's Microsoft Patch Tuesday: October 2012

Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's October 2012 patches in your organization.

Time flies when you're having fun, and I must have had a lot of fun this past month because I can't believe it's already that time again: Patch Tuesday is upon us. After September's unusually light load, many were expecting a scary array of security bulletins for this Halloween month, but instead we have a middle-of-the-road lineup, with six important bulletins and only one that's rated as "critical." The majority of the patches, (four of them, including the critical update), affect Microsoft Office and Server software, while there are a couple that affect Windows and one for SQL Server.

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-064/KB2742319 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (Microsoft Office 2003 SP3, Office 2007 SP2 and SP3, and Office 2010 SP1; Microsoft Word Viewer, Microsoft Office Compatibility Pack SP2 and SP3; Microsoft SharePoint Server 2010 SP1 and Microsoft Office Web Apps 2010 SP1):

This update addresses two vulnerabilities, one of which opens a system up to complete compromise if a user opens a malicious RTF document, or even just previews it in the Word Viewer. The problem is caused by the way Microsoft Office handles memory when parsing certain files. The exploit is more dangerous when the user has administrative rights. Outlook is not directly affected but if Outlook uses Word as its email reader (default in Outlook 2007 and 2010), an RTF email message can be leveraged to exploit the vulnerability. Note that for Office 2007, you need to install the security update for the Microsoft Office Compatibility Pack (KB2687314) as well as security update KB2687315.

MS12-065/KB2754670 - Vulnerability in Microsoft Works Could Allow Remote Code Execution (Microsoft Works 9): Microsoft Works is a low cost alternative to Office for some users, which can open Word documents. It is not affected by the foregoing security bulletin but there is also a vulnerability in Works 9 that can allow remote code execution if a user opens a malicious Word file, due to the way Works converts Word documents. As with the Word vulnerability, the attacker can obtain the same level of rights as the currently logged-on user. Note that the fact that only version 9 is named in the bulletin does not mean previous versions are safe; those versions are past expiration of support and were not tested. MS12-066/KB2741517 - Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (Microsoft InfoPath 2007 SP2 and SP3; InfoPath 2010 SP1; Microsoft Communicator 2007 R2; Microsoft Lync 2010 and Lync 2010 Attendee (both admin level and user level install); Microsoft SharePoint Server 2007 SP2 and SP3; Microsoft SharePoint Server 2010 SP1; Microsoft Groove Server 2010 SP1; Windows SharePoint Services 3.0 SP2; SharePoint Foundation 2010 SP1; Microsoft Office Web Apps 2010 SP1):

This vulnerability affects a plethora of enterprise level Office applications and can allow an elevation of privileges attack when an attacker sends malicious content to a user, due to a problem with the way HTML strings are sanitized. Some affected software, such as Microsoft Office Web Apps 2010 SP1, has multiple update packages available; all of these should be installed and can be installed in any order. Auto update is not available for Lync 2010 Attendee user-level install; this one must be obtained through the Microsoft Download Center. Also note that if you're using SharePoint Server 2007, you should install the update for SharePoint Services 3.0 (KB2687356) along with KB2687405.

MS12-067/KB2742321 - Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (Microsoft FAST Search Server 2010 for SharePoint SP1, FAST SS 2010 for Internal Applications, FAST SS 2012 for Internet Business and FAST SS 2010 for SharePoint Internet Sites; FAST ESP 5.2 and 5.3):

Fast Search Server for SharePoint is an enterprise level product that can be deployed across multiple servers. When the Advanced Filter Pack (which is disabled by default) is enabled, this vulnerability can allow remote code execution in the security context of a user with a restricted token. There also a workaround (Security Advisory 2737111) to disable the Advanced Filter Pack. You do not have to undo that workaround before applying this update. The vulnerability is in a custom implementation of Oracle Outside In libraries.

MS12-068/KB2724197 - Vulnerability in Windows Kernel Could Allow Elevation of Privilege (Windows XP SP3, XP Pro x64 SP2, all editions of Windows Server 2003 SP2, all editions of Windows Server 2008 SP2, all editions of Windows 7 with and without SP1, all editions of Windows Server 2008 R2 with and without SP1, including server core installations): This update fixes a vulnerability whereby an attacker can log onto a system and run a specially craft application to obtain an elevation of privileges; it works only if the attacker has valid logon credentials and can log on locally. This does not affect Windows 8 and Windows Server 2012. MS069/KB2743555 - Vulnerability in Kerberos Could Allow Denial of Service (all editions of Windows 7, with and without SP1); all editions of Windows Server 2008R2, with and without SP1, including server core installations): This update fixes a flaw in the way Kerberos handles a specially crafted session, which can be exploited by an attacker who sends a specially crafted session request to the Kerberos server to create a denial of service attack. Windows XP, Vista and Windows 8 are not affected and neither are Server 2003, 2008 and 2012. This is specific to Windows 7 and Server 2008 R2. MS12-070/KB2754849 - Vulnerability in SQL Server Could Allow Elevation of Privilege (most editions of SQL Server 2005 SP4, all editions of SQL Server 2008 SP 2 and SP3, most editions of SQL Server 2008 R2 SP 1, all editions of SQL Server 2012): This vulnerability affects SQL Server on systems that are running SQL Server Reporting Services (SSRS) and uses cross-site scripting (XSS) to elevate privileges so that an attacker can execute arbitrary commands in the security context of the targeted user. This is done by sending a link to the user or hosting or compromising a web site with code to exploit the vulnerability. The user would have to click the link or visit the site to enable the attack. The problem is caused by the way the SQL Server Report Manager (SSRM) validates input parameters. The update will also be offered to SQL Server clusters. If the cluster has a passive node, you should apply the update first to the active node and then to the passive node.

Other Updates/Releases

KB2731771 - Update for Windows 7 and Windows Server 2008 R2: This non-security update is for Windows 7 with and without SP1, designed to "resolve issues in Windows." KB2739159 - Update for Windows 7 and Windows Server 2008 R2: Another recommended non-security update to address unnamed (at the time of release) issues in Windows. KB2744129 - Update for Windows Server 2008 x64 Edition: This one resolves unspecified issues in the 64-bit edition of Windows Server 2008. However, it is classified by Microsoft as "important." NOTE: More information on the three foregoing updates will be available in the associated KB articles, which had not been posted to the Microsoft web site at the time of release. KB2756822 - Update for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This is a non-security update rollup that's classified as high priority and resolves issues caused by revised daylight saving time and time zone laws in several countries. It will enable the computer to automatically adjust its clock for DST on the correct date in 2012. A restart may be needed after installation. KB890830 - As usual, Microsoft released an updated version of the Malicious Software Removal Tool (MSRT) for Windows XP, Vista, 7, 8 and Server 2003 and 2008.

Updates since the last Patch Tuesday

MS12-063/KB2744842 - Cumulative Security Update for Internet Explorer (Internet Explorer 6, 7, 8 and 9 on all supported versions of Windows XP, Vista and Windows 7 and Windows Server 2003, 2008 and 2008 R2): Microsoft released an out-of-band patch on September 21. This update addresses five vulnerabilities in IE, one of which was publicly disclosed and four that were reported privately. If a user visits a specially crafted malicious web page, the attacker can obtain user rights equal to those of the currently logged-on user and could execute remote code. The exploit is most dangerous against administrative users on Windows client systems. Internet Explorer 10 on Windows 8 and Server 2008/2008 R2 server core installations are not affected. Advisory 2755801/KB2758994 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 (IE 10 on Windows 8 32 and 64 bit systems and Windows Server 2012). This update, released October 8 (one day before Patch Tuesday), makes changes to the Adobe Flash libraries in IE 10 to address vulnerabilities in Adobe's Flash Player software.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

17 comments
LorinSA
LorinSA

I have numerous machines that are hanging either on installing update, configuring updates, shutting down after installing updates, or at please wait after installing updates, and it seems to be spreading. Each one acts a little differently, and is different when trying to get around the problem. Sometimes restarting in safe mode will revert the changes and allow it to come up. Sometimes it takes multiple tries, and then sometimes it requires using a restore point. Does anyone have a definitive answer for the problems with this update?

husberger
husberger

If you drag and drop an attachment from one email to a new. Or copy and paste the attachment from one email to a new. With these KBs installed the attached file in the new email will end up with double file extension. Or these KB will add an extra file extension on the attached file in the new email (filenamn.pdf will be named filename.pdf.pdf in the new email.) This will most likely block the email from being received if the receiver are using any SPAM/AV system that, with god reason, block attachments with double or more fileextension. Pretty annoying.

steve
steve

well i keep trying to post something on a major problem with KB2687315, but I can't seem to get it on this forum!

Charles Bundy
Charles Bundy

during patch Tuesday for me. More specifically it is [i]Update Rollup 7-v2 for Exchange Server 2010 Service Pack 1[/i] Post reboot, Outlook Web Access would only present a blank page. Turned out an important post install script wasn't run. Had to run the EMC as Administrator and execute the following to finish install - [b]C:\Program Files\Microsoft\Exchange Server\V14\bin\UpdateCAS.ps1[/b]

Gisabun
Gisabun

There are other hotifixes thsat were released yesterday or just prior: 2646886 2729094 2732487 2732500 2739286 2749655 2757817

rjroati
rjroati

Great article. Small point. You wrote: "Note that for Office 2007, you need to install the security update for the Microsoft Office Compatibility Pack (KB2687314) as well as security update KB2687315." There are corresponding patches for Word 2003 and 2010 as well, KB2687483 and KB2553488.

boniggy
boniggy

I have all my remote users down and using the VPN now because one of these patches killed the SSL Digital signature. I have a laptop without any patches on it that works remotely so im installing them one by one until i can pinpoint which one fubar'd the SSL. I'd go thru the descriptions of each patch BUT, like SmcKenna said, the lack of documentation is really bad. Ive even wiped out and reinstalled all my company SSL's and still nothing is working. Ive installed the same SSL on a non-patched computer and its fine. I'll post back if i find out which one killed my SSL. EDIT: KB2661254 is what killed my SSL cert. An uninstall of that update has fixed my issue.

Pats3
Pats3

Had one Patch yesterday - Tuesday Today - Wednesday I had 9 ??????

smckenna
smckenna

rant on I'm unhappy with the lack to documentation on patches from MS these days. I'm supposed to make a decision on whether to apply a patch or not, but they only give me a link to another web site which may/may not actually tell me something. This is not right. Treat your customers like grown ups and treat them like CUSTOMERS... rant off

stackerpm
stackerpm

Hi all, I have read MS12-070/KB2754849 - Vulnerability in SQL Server Could Allow Elevation of Privilege. I can't seem to find any updates in this regards for SQL server 2008 R2 RTM. So my questions are: 1. What if my database version is 10.50.1600.1 (x64), does this mean that we are cleared of this security issue? (im assuming not). Or does this mean that RTM is not covered for security updates? 2. How will we apply this security fix for 2008 R2 (RTM)? (take note that my db is not 2008 r2 sp1 or sp2) Thanks guys!

pdr5407
pdr5407

Have not had any issues with installing Windows updates, there are 17 total to install this update Tuesday on my Win7 desktop.

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.

nico1et
nico1et

i have had to restore my HP desktop numerous times this month, just to get it working again. most times it just hangs w/o loading windows complete (nor connecting online). i even went to the trouble to install the updates one at a time, & i thought it went ok - until i didn't turn my computer on for a few days - & when i tried this a.m., it again hung like the other times. i had to restore to an earlier date (10/8) - but i see in this one log that i copied while in safe mode that there were problems even on the 1st of the month (service control manager, for one). i cannot d/l & install any of these updates... i haven't had problems for ages, & now it's constant. (this might make me think of a mac in the future)

Gisabun
Gisabun

Whatever you had better be corrected. MS warned about this since at least August. It will come backagain.

Slayer_
Slayer_

It looks like it adds API's for date conversions or something like that. http:// support . microsoft . com/kb/2731771

boniggy
boniggy

well i somehow missed that note from them. From their article about what you are referring to they are talking about how you need to have at least 1024bit encryption on your SSL keys; mine has 2048. So apparently i have another issue somewhere. For now, that update has been reverted on my machines and disabled. I'll load it back up on a dummy laptop and see whats going on with it thru some more testing.

Editor's Picks