Tomorrow, Tuesday October 8, 2013, Microsoft plans to issue eight bulletins, including four critical, addressing vulnerabilities in Microsoft Windows, Internet Explorer (IE), Microsoft Office and its other products.
The first four bulletins will patch critical vulnerabilities in Microsoft Windows, Internet Explorer and the Microsoft .NET Framework, according to a Microsoft Advanced Notification issued on Oct. 3.
Bulletins 1-4, deemed "critical" could allow for remote code execution. The first, second and fourth bulletins will definitely require a restart, while the third may require one.
Particular attention is being paid to the first bulletin, which may contain a permanent fix for a high-profile IE zero-day vulnerability that was discovered within the last month. Security firm FireEye, who initially uncovered the IE vulnerability, has since learned that at least three separate attack campaigns are actively exploiting the zero-day.
Though Microsoft issued a temporary "Fix it" in September for the vulnerability, pressure to provide a permanent patch increased on Monday when the popular penetration-testing tool Metasploit released a module for the zero-day. As for whether Bulletin 1 does indeed resolve the IE zero-day, Ross Barrett, senior manager of security engineering at Boston-based Rapid7, is hopeful.
"The answer is, we won't know for sure until Tuesday, but it could and it should," Barrett said. "This is definitely where I would focus my patching efforts."
Bulletins 2, 3 and 4 address vulnerabilities on a wide range of Microsoft products, including Windows XP, 7 and 8, and Windows Server 2003, 2008 and 2012.
In addition to the critical bulletins, Microsoft has marked four more bulletins as "important." Of these bulletins, three may require a restart and one does not.
Bulletins 5, 6 and 7 address vulnerabilities that could allow for remote code execution.
The bulletins will be released on Oct. 8.
Separately, Adobe Systems Inc. is currently preparing to patch critical vulnerabilities in two of its products, Reader and Acrobat. The vulnerabilities were assigned a "priority rating" of 2, which signals that the products have historically been at elevated risk, according to Adobe's rating system. The patches should go live on Oct. 8 too.
Executive Summary
| Bulletin ID | Maximum Severity Rating and Vulnerability Impact | Restart Requirement | Affected Software |
|---|---|---|---|
| Bulletin 1 | Critical Remote Code Execution |
Requires restart | Microsoft Windows, Internet Explorer |
| Bulletin 2 | Critical Remote Code Execution |
Requires restart | Microsoft Windows |
| Bulletin 3 | Critical Remote Code Execution |
May require restart | Microsoft Windows, Microsoft .NET Framework |
| Bulletin 4 | Critical Remote Code Execution |
Requires restart | Microsoft Windows |
| Bulletin 5 | Important Remote Code Execution |
May require restart | Microsoft Office, Microsoft Server Software |
| Bulletin 6 | Important Remote Code Execution |
May require restart | Microsoft Office |
| Bulletin 7 | Important Remote Code Execution |
May require restart | Microsoft Office |
| Bulletin 8 | Important Information Disclosure |
Does not require restart | Microsoft Silverlight |
| Windows XP | ||||
|---|---|---|---|---|
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | Critical | Critical | Critical |
| Windows XP Service Pack 3 | Internet Explorer 6 (Critical) Internet Explorer 7 Internet Explorer 8 |
Windows XP Service Pack 3 (Critical) |
Windows XP Service Pack 3 (Critical) |
Not applicable |
| Windows XP Professional x64 Edition Service Pack 2 | Internet Explorer 6 (Critical) Internet Explorer 7 Internet Explorer 8 |
Windows XP Professional x64 Edition Service Pack 2 (Critical) |
Windows XP Professional x64 Edition Service Pack 2 (Critical) |
Windows XP Professional x64 Edition Service Pack 2 (Critical) |
| Windows Server 2003 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Moderate | Critical | Critical | Critical |
| Windows Server 2003 Service Pack 2 | Internet Explorer 6 (Moderate) Internet Explorer 7 Internet Explorer 8 |
Windows Server 2003 Service Pack 2 (Critical) |
Windows Server 2003 Service Pack 2 (Critical) |
Windows Server 2003 Service Pack 2 (No severity rating) |
| Windows Server 2003 x64 Edition Service Pack 2 | Internet Explorer 6 (Moderate) Internet Explorer 7 Internet Explorer 8 |
Windows Server 2003 x64 Edition Service Pack 2 (Critical) |
Windows Server 2003 x64 Edition Service Pack 2 (Critical) |
Windows Server 2003 x64 Edition Service Pack 2 (Critical) |
| Windows Server 2003 with SP2 for Itanium-based Systems | Internet Explorer 6 (Moderate) Internet Explorer 7 |
Windows Server 2003 with SP2 for Itanium-based Systems (Critical) |
Windows Server 2003 with SP2 for Itanium-based Systems (Important) |
Windows Server 2003 with SP2 for Itanium-based Systems (Critical) |
| Windows Vista | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | Critical | Critical | Critical |
| Windows Vista Service Pack 2 | Internet Explorer 7 (Critical) Internet Explorer 8 Internet Explorer 9 |
Windows Vista Service Pack 2 (Critical) |
Windows Vista Service Pack 2 (Critical) |
Windows Vista Service Pack 2 (No severity rating) |
| Windows Vista x64 Edition Service Pack 2 | Internet Explorer 7 (Critical) Internet Explorer 8 Internet Explorer 9 |
Windows Vista x64 Edition Service Pack 2 (Critical) |
Windows Vista x64 Edition Service Pack 2 (Critical) |
Windows Vista x64 Edition Service Pack 2 (Critical) |
| Windows Server 2008 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Moderate | Critical | Critical | Critical |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Internet Explorer 7 (Moderate) Internet Explorer 8 Internet Explorer 9 |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical) |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Critical) |
Windows Server 2008 for 32-bit Systems Service Pack 2 (No severity rating) |
| Windows Server 2008 for x64-based Systems Service Pack 2 | Internet Explorer 7 (Moderate) Internet Explorer 8 Internet Explorer 9 |
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical) |
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical) |
Windows Server 2008 for x64-based Systems Service Pack 2 (Critical) |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 | Internet Explorer 7 (Moderate) |
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical) |
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Important) |
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Critical) |
| Windows 7 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | Critical | Critical | Critical |
| Windows 7 for 32-bit Systems Service Pack 1 | Internet Explorer 8 (Critical) Internet Explorer 9 Internet Explorer 10 |
Windows 7 for 32-bit Systems Service Pack 1 (Critical) |
Windows 7 for 32-bit Systems Service Pack 1 (Critical) |
Windows 7 for 32-bit Systems Service Pack 1 (No severity rating) |
| Windows 7 for x64-based Systems Service Pack 1 | Internet Explorer 8 (Critical) Internet Explorer 9 Internet Explorer 10 |
Windows 7 for x64-based Systems Service Pack 1 (Critical) |
Windows 7 for x64-based Systems Service Pack 1 (Critical) |
Windows 7 for x64-based Systems Service Pack 1 (Critical) |
| Windows Server 2008 R2 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Moderate | Critical | Critical | Critical |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Internet Explorer 8 (Moderate) Internet Explorer 9 Internet Explorer 10 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical) |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical) |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Critical) |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Internet Explorer 8 (Moderate) |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical) |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Important) |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (Critical) |
| Windows 8 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | Critical | Critical | Critical |
| Windows 8 for 32-bit Systems | Internet Explorer 10 (Critical) |
Windows 8 for 32-bit Systems (Critical) |
Windows 8 for 32-bit Systems (Critical) |
Windows 8 for 32-bit Systems (No severity rating) |
| Windows 8 for 64-bit Systems | Internet Explorer 10 (Critical) |
Windows 8 for 64-bit Systems (Critical) |
Windows 8 for 64-bit Systems (Critical) |
Windows 8 for 64-bit Systems (Critical) |
| Windows Server 2012 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Moderate | Critical | Critical | Critical |
| Windows Server 2012 | Internet Explorer 10 (Moderate) |
Windows Server 2012 (Critical) |
Windows Server 2012 (Critical) |
Windows Server 2012 (Critical) |
| Windows RT | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | Critical | Important | None |
| Windows RT | Internet Explorer 10 (Critical) |
Windows RT (Critical) |
Windows RT (Important) |
Windows RT (No severity rating) |
| Windows 8.1 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | None | None | None |
| Windows 8.1 for 32-bit Systems | Internet Explorer 11 (Critical) |
Not applicable | Not applicable | Not applicable |
| Windows 8.1 for 64-bit Systems | Internet Explorer 11 (Critical) |
Not applicable | Not applicable | Not applicable |
| Windows Server 2012 R2 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Moderate | None | None | None |
| Windows Server 2012 R2 | Internet Explorer 11 (Moderate) |
Not applicable | Not applicable | Not applicable |
| Windows RT 8.1 | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | Critical | None | None | None |
| Windows RT 8.1 | Internet Explorer 11 (Critical) |
Not applicable | Not applicable | Not applicable |
| Server Core installation option | ||||
| Bulletin Identifier | Bulletin 1 | Bulletin 2 | Bulletin 3 | Bulletin 4 |
| Aggregate Severity Rating | None | Critical | Critical | Critical |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Not applicable | Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (Critical) |
Not applicable | Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (No severity rating) |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Not applicable | Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical) |
Not applicable | Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (Critical) |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Not applicable | Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical) |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical) |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (Critical) |
| Windows Server 2012 (Server Core installation) | Not applicable | Windows Server 2012 (Server Core installation) (Critical) |
Windows Server 2012 (Server Core installation) (Critical) |
Windows Server 2012 (Server Core installation)
(Critical) |
| Windows Server 2012 R2 (Server Core installation) | Not applicable | Not applicable | Not applicable | Not applicable |
Bottom Line: Leave your Microsoft Windows Computers and Servers on Tuesday Night and Re-start them first thing Wednesday morning.
Special Note: If you are running Apple or Linux, you did not have to read this article.
If you have any questions, Please give me a call or send an email
Many Thanks
Greg Allen