The latest Patch Tuesday security updates to address critical and important vulnerabilities will keep admins busy.
There are eight bulletins for October's Patch Tuesday cycle, four of which are critical. All four critical bulletins address remote code execution vulnerabilities.
Internet Explorer received critical fixes for ten vulnerabilities that could let attackers gain the same rights as users if they visit malicious webpages. It also included a patch for a zero-day exploit that Microsoft had previously issued an out of band "fix-it" update for the issue.
This patch should be a priority for workstation computers, as it is being exploited by attackers, said Wolfgang Kandek, CTO of Qualys Inc., a Redwood Shores, Calif.-based IT security firm.
Two of the critical security updates address OpenType font vulnerabilities. MS13-081 addresses seven Windows kernel-mode driver vulnerabilities that come from users opening affected content with embedded TrueType or OpenType font.
MS13-082 addresses two .NET Framework vulnerabilities that could be exploited if users visit websites with affected OpenType font files. July's security updates included fixes for TrueType vulnerabilities in all Windows Systems while August's updates included fixes for OpenType vulnerabilities in the Windows XP and Windows Server 2003 Unicode Scripts Processor.
Another critical security update addresses a Windows Common Control Library vulnerability in all 64-bit editions of Windows, which could be exploited if attackers send a web request to an ASP.NET site on affected systems.
October's important security updates cover vulnerabilities in Microsoft Office, SharePoint Server and Silverlight. Four vulnerabilities in Excel and Word could let attackers gain the same rights as users while two SharePoint vulnerabilities could be exploited if users open affected Office files with SharePoint, Office Web Apps or Office Services.
The complete list of security updates can be found here.
The yearly total of bulletins moves up to 87 with this Patch Tuesday, which is a significant jump from the 70 bulletins at the same time last year.
October marks the tenth anniversary of the beginning of the Patch Tuesday, which Kandek reflected on as "a very successful idea."
Over time, Windows vulnerabilities have gone from straightforward to more complex, just as "attackers have stepped up their game," said Kandek.