News Stay informed about the latest enterprise technology news and product updates.

Word, Kerberos vulnerabilities highlight busy October Patch Tuesday

Improperly time stamped certificates mean rereleased patches, on top of fixes for Microsoft Word and Kerberos vulnerabilities this month.

In October's Patch Tuesday announcement, Microsoft patched vulnerabilities in seven security bulletins and released a cumulative update for Windows 8 and Windows Server 2012.

All supported versions of Windows Server up to Windows Server 2008 R2 have been patched. One particular vulnerability deals with Kerberos authentication, where, if exploited, could result in a denial of service. The server would restart itself if exploited.

Another vulnerability with the Windows kernel in recent editions of Windows could be exploited. However, it would be more difficult to pull off such an exploit because an attacker would need to develop a virus, said Jason Miller, a member of Shavlik Technologies Patch Patrol team.

The month's lone critical patch deals with a vulnerability in Microsoft Word in recent editions of Office software. This is important if users run recent versions of Outlook because Microsoft Word is used to render emails in the client.

The company recommends applying the patch immediately using WSUS or other services.

"It could be quite a large patch day"

-Jason Miller, Shavlik Technologies Patch Patrol Team

Another patch dealing with a vulnerability in SharePoint's FAST search stems from Oracle's Outside In libraries, something that received attention earlier this year.

Update déjà vu: human error leads to patch rereleases

Microsoft will  rerelease a number of its patches that included certificates that lack the appropriate timestamp.

Microsoft noted the original patches still protect against the vulnerabilities.

On Tuesday, Microsoft rereleased five bulletins from the month of August, three of them critical updates.

If these updates reappear in WSUS or another patch manager, Miller said it's best to apply them as they appear.  

Miller said the seven bulletins in October, plus these rereleased patches and an Internet Explorer patch that was released in mid-September, might keep admins busy.

"It could be quite a large patch day," Miller said.

No security updates for Windows Server 2012, Windows 8

Still missing from the Patch Tuesday proceedings are Windows Server 2012 and its desktop brother, Windows 8.

Given that the server product has only been out for a month and Windows 8 hasn't seen retail availability, Miller wasn't shocked.

Miller pointed to the trend that both Windows Vista and Windows Server 2008 were absent from security bulletins for about four months after the products hit general availability.

If admins are running any software -- like Office 2010 -- those will need to be patched, Miller said.

While there were no security updates for Windows Server 2012 or Windows 8, the company did release a cumulative update in time for the release of Windows 8. Most of the fixes in this update pertain to the desktop version, which promises improved driver support and power efficiency for better battery life on notebooks. 

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.