Time flies when you’re having fun, and I must have had a lot of fun this past month because I can’t believe it’s already that time again: Patch Tuesday is upon us. After September’s unusually light load, many were expecting a scary array of security bulletins for this Halloween month, but instead we have a middle-of-the-road lineup, with six important bulletins and only one that’s rated as “critical.” The majority of the patches, (four of them, including the critical update), affect Microsoft Office and Server software, while there are a couple that affect Windows and one for SQL Server.

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS12-064/KB2742319 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (Microsoft Office 2003 SP3, Office 2007 SP2 and SP3, and Office 2010 SP1; Microsoft Word Viewer, Microsoft Office Compatibility Pack SP2 and SP3; Microsoft SharePoint Server 2010 SP1 and Microsoft Office Web Apps 2010 SP1):

This update addresses two vulnerabilities, one of which opens a system up to complete compromise if a user opens a malicious RTF document, or even just previews it in the Word Viewer. The problem is caused by the way Microsoft Office handles memory when parsing certain files. The exploit is more dangerous when the user has administrative rights. Outlook is not directly affected but if Outlook uses Word as its email reader (default in Outlook 2007 and 2010), an RTF email message can be leveraged to exploit the vulnerability. Note that for Office 2007, you need to install the security update for the Microsoft Office Compatibility Pack (KB2687314) as well as security update KB2687315.

MS12-065/KB2754670 – Vulnerability in Microsoft Works Could Allow Remote Code Execution (Microsoft Works 9): Microsoft Works is a low cost alternative to Office for some users, which can open Word documents. It is not affected by the foregoing security bulletin but there is also a vulnerability in Works 9 that can allow remote code execution if a user opens a malicious Word file, due to the way Works converts Word documents. As with the Word vulnerability, the attacker can obtain the same level of rights as the currently logged-on user. Note that the fact that only version 9 is named in the bulletin does not mean previous versions are safe; those versions are past expiration of support and were not tested.
MS12-066/KB2741517 – Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (Microsoft InfoPath 2007 SP2 and SP3; InfoPath 2010 SP1; Microsoft Communicator 2007 R2; Microsoft Lync 2010 and Lync 2010 Attendee (both admin level and user level install); Microsoft SharePoint Server 2007 SP2 and SP3; Microsoft SharePoint Server 2010 SP1; Microsoft Groove Server 2010 SP1; Windows SharePoint Services 3.0 SP2; SharePoint Foundation 2010 SP1; Microsoft Office Web Apps 2010 SP1):

This vulnerability affects a plethora of enterprise level Office applications and can allow an elevation of privileges attack when an attacker sends malicious content to a user, due to a problem with the way HTML strings are sanitized. Some affected software, such as Microsoft Office Web Apps 2010 SP1, has multiple update packages available; all of these should be installed and can be installed in any order. Auto update is not available for Lync 2010 Attendee user-level install; this one must be obtained through the Microsoft Download Center. Also note that if you’re using SharePoint Server 2007, you should install the update for SharePoint Services 3.0 (KB2687356) along with KB2687405.

MS12-067/KB2742321 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (Microsoft FAST Search Server 2010 for SharePoint SP1, FAST SS 2010 for Internal Applications, FAST SS 2012 for Internet Business and FAST SS 2010 for SharePoint Internet Sites; FAST ESP 5.2 and 5.3):

Fast Search Server for SharePoint is an enterprise level product that can be deployed across multiple servers. When the Advanced Filter Pack (which is disabled by default) is enabled, this vulnerability can allow remote code execution in the security context of a user with a restricted token. There also a workaround (Security Advisory 2737111) to disable the Advanced Filter Pack. You do not have to undo that workaround before applying this update. The vulnerability is in a custom implementation of Oracle Outside In libraries.

MS12-068/KB2724197 – Vulnerability in Windows Kernel Could Allow Elevation of Privilege (Windows XP SP3, XP Pro x64 SP2, all editions of Windows Server 2003 SP2, all editions of Windows Server 2008 SP2, all editions of Windows 7 with and without SP1, all editions of Windows Server 2008 R2 with and without SP1, including server core installations): This update fixes a vulnerability whereby an attacker can log onto a system and run a specially craft application to obtain an elevation of privileges; it works only if the attacker has valid logon credentials and can log on locally. This does not affect Windows 8 and Windows Server 2012.
MS069/KB2743555 – Vulnerability in Kerberos Could Allow Denial of Service (all editions of Windows 7, with and without SP1); all editions of Windows Server 2008R2, with and without SP1, including server core installations): This update fixes a flaw in the way Kerberos handles a specially crafted session, which can be exploited by an attacker who sends a specially crafted session request to the Kerberos server to create a denial of service attack. Windows XP, Vista and Windows 8 are not affected and neither are Server 2003, 2008 and 2012. This is specific to Windows 7 and Server 2008 R2.
MS12-070/KB2754849 – Vulnerability in SQL Server Could Allow Elevation of Privilege (most editions of SQL Server 2005 SP4, all editions of SQL Server 2008 SP 2 and SP3, most editions of SQL Server 2008 R2 SP 1, all editions of SQL Server 2012): This vulnerability affects SQL Server on systems that are running SQL Server Reporting Services (SSRS) and uses cross-site scripting (XSS) to elevate privileges so that an attacker can execute arbitrary commands in the security context of the targeted user. This is done by sending a link to the user or hosting or compromising a web site with code to exploit the vulnerability. The user would have to click the link or visit the site to enable the attack. The problem is caused by the way the SQL Server Report Manager (SSRM) validates input parameters. The update will also be offered to SQL Server clusters. If the cluster has a passive node, you should apply the update first to the active node and then to the passive node.

Other Updates/Releases

KB2731771 – Update for Windows 7 and Windows Server 2008 R2: This non-security update is for Windows 7 with and without SP1, designed to “resolve issues in Windows.”
KB2739159 – Update for Windows 7 and Windows Server 2008 R2: Another recommended non-security update to address unnamed (at the time of release) issues in Windows.
KB2744129 – Update for Windows Server 2008 x64 Edition: This one resolves unspecified issues in the 64-bit edition of Windows Server 2008. However, it is classified by Microsoft as “important.”
NOTE: More information on the three foregoing updates will be available in the associated KB articles, which had not been posted to the Microsoft web site at the time of release.
KB2756822 – Update for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This is a non-security update rollup that’s classified as high priority and resolves issues caused by revised daylight saving time and time zone laws in several countries. It will enable the computer to automatically adjust its clock for DST on the correct date in 2012. A restart may be needed after installation.
KB890830As usual, Microsoft released an updated version of the Malicious Software Removal Tool (MSRT) for Windows XP, Vista, 7, 8 and Server 2003 and 2008.

Updates since the last Patch Tuesday

MS12-063/KB2744842 – Cumulative Security Update for Internet Explorer (Internet Explorer 6, 7, 8 and 9 on all supported versions of Windows XP, Vista and Windows 7 and Windows Server 2003, 2008 and 2008 R2): Microsoft released an out-of-band patch on September 21. This update addresses five vulnerabilities in IE, one of which was publicly disclosed and four that were reported privately. If a user visits a specially crafted malicious web page, the attacker can obtain user rights equal to those of the currently logged-on user and could execute remote code. The exploit is most dangerous against administrative users on Windows client systems. Internet Explorer 10 on Windows 8 and Server 2008/2008 R2 server core installations are not affected.
Advisory 2755801/KB2758994 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 (IE 10 on Windows 8 32 and 64 bit systems and Windows Server 2012). This update, released October 8 (one day before Patch Tuesday), makes changes to the Adobe Flash libraries in IE 10 to address vulnerabilities in Adobe’s Flash Player software.