Security Market Segment LS
Wednesday, 14 October 2009 05:33

October Patch Tuesday is biggest ever

As expected, Microsoft released 13 new security bulletins overnight (Australian time). A mammoth 34 vulnerabilities are addressed, including some affecting Windows 7.

Microsoft has set a new record by releasing 13 security bulletins in one go. The bulletins cover a variety of issues for Windows and Microsoft Office.

Eight of the bulletins are rated critical and allow remote code execution, the other five are important.

Let's start with the Windows bulletins.

The previously disclosed SMBv2 issue has now been fixed. The bulletin applies only to Vista and Server 2008 as far as supported versions of Windows are concerned, although prerelease versions of Windows 7 are apparently affected too. Server 2008 R2 does not suffer from the vulnerability.

A pair of bulletins address vulnerabilities in Windows Media Runtime and Windows Media Player. Maliciously crafted content can gain the same rights as the current user. These issues apply to Windows 2000, XP, Server 2003, Vista and Server 2008 (for those last two, only the Windows Media Runtime issue).

A cumulative update for Internet Explorer plugs four holes that can be exploited by maliciously crafted web pages. The update is required for Internet Explorer 6, 7 and 8, and by all currently supported versions of Windows, including Windows 7.

This month's cumulative update of ActiveX kill bits continues to address issues caused by the Active Template Library security issue. All supported versions of Windows are affected, but the issue is less important on Windows Server, Vista, and Windows 7.

Multiple issues in the .NET common language runtime can be exploited via a web browser of Silverlight applications. The bulletin is rated as critical or important for all supported versions of Windows.

Multiple vulnerabilities in GDI+ that could be exploited via malicious image files have been fixed. Vista SP2, Server 2008 SP2, and Windows 7 are unaffected.

Turning to the less serious matters, the five important bulletins all concern Windows.

A pair of publicly disclosed vulnerabilities in IIS's FTP service (which were acknowledged by Microsoft last month) have been fixed. IIS versions 5.0, 5.1, 6.0 and 7.0 are all affected, so there are updates for all supported versions of Windows except Windows 7 and Server 2008 R2.

Two vulnerabilities in Windows CryptoAPI that could allow spoofing have been addressed in all currently supported versions of Windows.

More on the Patch Tuesday updates (and more!) on page 2.

An Indexing Service vulnerability that could be exploited via a malicious web page to gain access to the system has been fixed in Windows 2000, XP, Server 2003. Vista, Windows 7 and Server 2008 are not affected.

Kernel vulnerabilities that can only be exploited by local users have been fixed in older versions of Windows. Windows 7 and Server 2008 R2 are not affected by these issues.

A vulnerability in the Local Security Authority subsystem could allow a denial of service attack. This bulletin relates to Windows XP, Server 2003,  Vista, Server 2008, Windows 7, and Server 2008 R2.

As for Office, a single bulletin concerns ActiveX controls that were built using a vulnerable version of the Active Template Library. Office XP, 2003 and 2007 are all affected, and the issue is regarded as critical on all three versions. The various Visio viewers are similarly affected.

Other software that may require updating in relation to this month's bulletins includes various versions of SQL Server, Silverlight, Visual Studio, Report Viewer, and Forefront Client Security.

Microsoft has also released the customary updates for the Malicious Software Removal Tool and the Windows Mail Junk E-mail Filter, along with a cumulative update for Media Center for Vista, a reliability update for Windows 7 and Windows Server 2008 R2, and a cumulative update for Media Center TVPack for Vista.

Between September's and October's Patch Tuesdays, Microsoft released a root certificate update for XP, an update for Windows Home Server, the System Update Readiness Tool for Vista and Server 2008, a pair of application compatibility updates for Windows 7 and Server 2008 R2, and a new installation of Internet Explorer 8 for XP systems using Language Interface Packs.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments