Categories
Section Navigation
Two of the vulnerabilities are rated "Critical," 14 are marked "Important," and the last one is classified as "Moderate." All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least eight of the 17 patches will require a restart.
The list of affected operating systems includes Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Microsoft Office XP, Office 2003, Office 2007, and Office 2010 are also being patched, but no Mac versions are.
Compared to last month's record Patch Tuesday, this one is massive. In fact, this is the highest number of bulletins Microsoft has ever released in one month. Still, it's lower than the record number of vulnerabilities that are being patched. The last record was set two months ago: 16 bulletins and 49 vulnerabilities fixed.
The exact breakdown of the bulletins for this month follows:
| 1 | Critical | Remote Code Execution | IE6/7/8 on Windows XP/2003/Vista/2008/7/2008 R2 |
| 2 | Critical | Remote Code Execution | Windows XP/2003/Vista/2008/7/2008 R2 |
| 3 | Important | Elevation of Privilege | Windows Vista/2008/7/2008 R2 |
| 4 | Important | Remote Code Execution | Windows Vista |
| 5 | Important | Remote Code Execution | Itanium unaffected: Windows XP/2003/Vista/2008 |
| 6 | Important | Remote Code Execution | Windows 7/2008 R2 |
| 7 | Important | Remote Code Execution | Windows XP/2003/Vista/2008/7/2008 R2 |
| 8 | Important | Remote Code Execution | Windows XP/2003 |
| 9 | Important | Elevation of Privilege | Windows XP/2003/Vista/2008/7/2008 R2 |
| 10 | Important | Elevation of Privilege | Windows XP/2003 |
| 11 | Important | Elevation of Privilege | Windows Vista/2008/7/2008 R2 |
| 12 | Important | Denial of Service | Windows 2003/2008/2008 R2 |
| 13 | Important | Denial of Service | 32-bit and Itanium unaffected Windows 2008/2008 R2 |
| 14 | Important | Remote Code Execution | Publisher 2002/2003/2007/2010 |
| 15 | Important | Remote Code Execution | SharePoint Server 2007 |
| 16 | Important | Remote Code Execution | Office XP/2003/2007/2010 |
| 17 | Moderate | Denial of Service | Exchange Server 2007 |
These include two issues that were publicly disclosed. Microsoft says it will be closing the last Stuxnet-related issues this month. That's a local Elevation of Privilege vulnerability, so it's either Bulletin 3, 9, 10, or 11. The company is also addressing the Internet Explorer vulnerability described in Security Advisory 2458511, which IE8 remains immune to via the Data Execution Prevention (DEP) feature.
Along with these patches, Microsoft is also planning to release the following on Patch Tuesday:
- One or more nonsecurity, high-priority updates on Windows Update (WU) and Windows Server Update Services (WSUS)
- One or more nonsecurity, high-priority updates on Microsoft Update (MU) and WSUS
- An updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Microsoft Download Center
This information is subject to change by Patch Tuesday; Microsoft has been known to rush patches or to pull them as it deems necessary.
Source: Ars Technica
Latest Collections
Recent Posts
