Microsoft will release two important bulletins addressing four issues in its September 2012 Patch Tuesday.
September is usually a light month for Microsoft security updates
According to the Microsoft September 2012 Patch Tuesday Advance Notification, both bulletins address elevation of privilege vulnerabilities and will not require a restart. In order for an attacker to cause any damage, they would need to already have infiltrated the system.
"The reason these are important, though, is that through a client-side attack or drive-by download, an attacker could gain a foothold on a user's machine," said Alex Horan, senior product manager at CORE Security Technologies in Boston. "Let that attacker then escalate privileges and get system access to the machine and there is big trouble."
The first bulletin concerns vulnerabilities in Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, one of the software giant's developer tools and software programs. The second bulletin deals with issues in Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2.
The bulletin release is scheduled for Sept. 11 at approximately 1 p.m. ET.
In addition to announcing the patch, Gunn reminded users of Security Advisory 2661254, which was made available in the download center in August. On Oct. 9, RSA key lengths will be required to be at least 1024 bits. Microsoft customers are encouraged to update now so they can identify any issues that may come with the update before it is required in October. Known issues include error messages when browsing to websites that have SSL certificates with keys that are less than 1024 bits, problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits and other actions involving key lengths less than 1024 bits.
September's patch will be smaller than its predecessor. In the August 2012 Patch Tuesday, Microsoft addressed a flaw in Windows Common Controls that was being exploited in the wild, among other issues. In total, Microsoft addressed 26 vulnerabilities over nine bulletins. All but one of the bulletins released presented a possibility of remote code execution.