Welcome to the 1024-bit world and the October security updates

  • Article

As previously mentioned in the Advance Notification blog on Thursday, today we’re releasing seven bulletins, one Critical-class and six Important-class bulletins. Before we discuss those releases, let’s take a closer look at the Security Advisories we also released today.

Security Advisory 2661254

We began discussing this issue in June, and originally released this advisory in August. Today we’re moving the update from being available on the Download Center to distributing it through Windows Update. This is the final step in our move to help folks strengthen their certificates by requiring them to have an RSA key length of at least 1024 bits.

Security Advisory 2749655

The update addresses potential compatibility issues due to a signature timestamp on valid files expiring before it should. This advisory will improve your overall security profile, rather than addressing an issue in a specific product. While there has been no certificate compromise related to this issue, if un-addressed, it could affect your ability to install future updates, including security updates. Dustin Ingalls and Jonathan Ness discuss this issue in further detail on the SRD blog. This update is available through Automatic Updates as well as the Windows Update Catalog and Download Center.

Security Updates

For Update Tuesday, we’re releasing seven bulletins that address 20 issues in Microsoft Windows, SQL Server, and Office including SharePoint, Lync, Microsoft Works (which reaches the end of its support lifecycle this week) and InfoPath. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the critical update, MS12-064 first:

MS12-064 (Microsoft Word): This security update resolves two issues in Microsoft Office. This bulletin has a severity rating of Critical and can result in remote code execution. Only one of the two issues addressed by this bulletin is rated Critical, but in that case, an attacker could run code in the context of the logged- on user if they were to open a specially crafted Rich Text Format (RTF) file or previews or open a specially crafted RTF email message.

Notably, one of the other bulletins, MS12-067, addresses the issue first described in Security Advisory 2737111. While this issue was publicly known, we’re not aware of any attacks or customer impact.

You can watch the video below for an overview of this month's bulletins.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jonathan Ness and myself. I invite you to tune in and learn more about the October security bulletins and advisories. We’ve scheduled the webcast for Wednesday, Oct. 10, 2012 at 11 a.m. PDT, and you can register here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, and I look forward to hearing your questions during the webcast.

Dustin Childs
Group Manager
Trustworthy Computing