Microsoft's October 2012 Patch Tuesday release will include seven bulletins, one deemed critical and six as important, affecting Microsoft Office, Microsoft Server Software, Microsoft Lync, Microsoft Windows and Microsoft SQL Server.
According to a Microsoft blog post, as expected, the patch release will also address the vulnerabilities affecting Microsoft Exchange and FAST Search Server 2010, and will require RSA key lengths to be at least 1,024 bits.
Bulletin 1, classed as "critical," addresses a remote code-execution threat in Microsoft Office and Microsoft Server Software. Applying the patch may require a restart. The specific programs to which bulletin 1 applies include Microsoft Office 2003 Service Pack 3, Microsoft Word Viewer, Microsoft Office Compatibility Pack Service Packs 2 and 3, and Microsoft Office 2007 Service Packs 2 and 3.
"We recommend being alert for the first Bulletin and prepare for a fast roll-out of that update," said Wolfgang Kandek, chief technology officer at Redwood City, Calif.-based Qualys Inc. in a statement.
The remaining bulletins all have an "important" rating:
- Bulletins 2 and 4 also address remote code-execution threats in Microsoft Office and Microsoft Server Software, and may require a restart.
- Bulletins 3, 5 and 7 target elevation of privilege issues in Microsoft Office, Microsoft Server Software, Microsoft Lync, Microsoft Windows and Microsoft SQL Server.
- Bulletin 5 requires a restart, while bulletins 3 and 7 may require a restart.
- Finally, bulletin 6 requires a restart and fixes a vulnerability that could allow for denial of service through Microsoft Windows.
Security Advisory 2737111 addresses the vulnerabilities affecting Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing, which could allow remote code execution. The vulnerabilities originated in third-party code, specifically Oracle Outside In code libraries.
Security Advisory 2661254 restricts the use of certificates with RSA keys less than 1,024 bits in length. The change comes in response to the recent Flame malware, which used fake Microsoft certificates to disguise malicious files. Once applied, the update will prevent Internet Explorer from connecting to websites using RSA certificates unless they contain at least 1,024 bits.
The relatively light volume of October patches comes on the heels of a similarly light September 2012 Patch Tuesday cycle, during which only two important bulletins were released. With a small number of patches, Microsoft encouraged customers to focus on installing Security Advisory 2661254 so users could adjust to the change in RSA key-length requirements.