October 8, 2009 1:05 PDT
On Tuesday, October 13th Microsoft will release 13 new bulletins that affect a number of products, spanning seven operating systems and several applications. In keeping with our 24 hour SLA, on Wednesday, October 14th nCircle VERT will release ASPL-319 which will include detection for these new vulnerabilities.
Bulletin |
Severity Rating |
Vulnerability Impact1 |
Bulletin #1 |
Critical |
Remote Code Execution |
Bulletin #2 |
Critical |
Remote Code Execution |
Bulletin #3 |
Critical |
Remote Code Execution |
Bulletin #4 |
Important |
Remote Code Execution |
Bulletin #5 |
Critical |
Remote Code Execution |
Bulletin #6 |
Critical |
Remote Code Execution |
Bulletin #7 |
Important |
Spoofing |
Bulletin #8 |
Important |
Remote Code Execution |
Bulletin #9 |
Important |
Elevation of Privilege |
Bulletin #10 |
Important |
Denial of Service |
Bulletin #11 |
Critical |
Remote Code Execution |
Bulletin #12 |
Critical |
Remote Code Execution |
Bulletin #13 |
Critical |
Remote Code Execution |
The below table outlines the bulletins and the affected application/operating system:
|
Bulletin |
Bulletin |
Bulletin |
Bulletin |
Bulletin |
Bulletin |
Bulletin |
Windows 2000 |
|
x |
x |
x |
|
x |
x |
Windows XP |
|
x |
x |
x |
|
x |
x |
Windows Server 2003 |
|
x |
x |
x |
|
x |
x |
Windows Vista |
x |
x |
|
x |
|
x |
x |
Windows Server 2008 |
x |
x |
|
x |
|
x |
x |
Windows 7 |
|
|
|
|
|
x |
|
Windows Server 2008 R2 |
|
|
|
|
|
x |
x |
Internet Explorer |
|
|
|
|
x |
|
|
|
Bulletin #8 |
Bulletin #9 |
Bulletin #10 |
Bulletin #11 |
Bulletin #12 |
Bulletin #13 |
Windows 2000 |
x |
x |
|
|
x |
x |
Windows XP |
x |
x |
x |
|
x |
x |
Windows Server 2003 |
x |
x |
x |
|
x |
x |
Windows Vista |
|
x |
x |
|
x |
x |
Windows Server 2008 |
|
x |
x |
|
x |
x |
Windows 7 |
|
|
x |
|
x |
|
Windows Server 2008 R2 |
|
|
x |
|
x |
|
Microsoft Office |
|
|
|
x |
|
x |
Microsoft Silverlight |
|
|
|
|
x |
|
Microsoft SQL Server |
|
|
|
|
|
x |
Development Tools (Including VS .NET) |
|
|
|
|
|
x |
Microsoft Forefront |
|
|
|
|
|
x |
While VERT does not have advanced information on these bulletins, we do work to perform our own internal analysis based on the available data. VERT is expecting to see the fixes for the IIS FTP issue2 (Bulletin #3), SMBv23 (Bulletin #1) and based on the software in Bulletin #13, one of the popular libraries, most likely ATL or GDI+.
Tuesday will also see the second quarterly patch release from Adobe, it will contain several fixes including one for the recently reported CVE-2009-34954 .
The Oracle Critical Patch Update (CPU) scheduled for Tuesday has been pushed back to October 20th because of Oracle World5
As VERT receives more information on these bulletins, we will release further details. The next scheduled VERT Alert will be on Tuesday, October 13th and will contain information on these specific bulletins.
1Vulnerability Impact refers to Microsoft’s definition and not nCircle’s definition.
2 http://www.microsoft.com/technet/security/advisory/975191.mspx
3 http://support.microsoft.com/kb/975497
4 http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
5 http://blogs.oracle.com/security/2009/09/announcement_regarding_the_oct.html