Massive Patch Tuesday planned for October 13

Microsoft will release 13 bulletins that fix 34 holes.

October's Patch Tuesday will land on October 13 and, in an act of either irony or perhaps Microsoft's idea of a humor, will feature 13 updates. These updates will fix a total of 34 holes. Of the 13 updates, eight will be labeled critical and five labeled important. These patches will fix vulnerabilities in Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server.

According to the advanced, Patch Tuesday "heads up" bulletin released Thursday, Microsoft will be fixing two of its more publicized holes for which it had not yet come up with a patch. One is a fix for the problems with Server Message Block 2 that could allow remote code execution (revealed September 8, in Security Advisory 975497).

Last month, when this hole was made public, Microsoft urged users to turn off SMB 2 until a patch could be completed. SMB 2 is a Microsoft-made network file- and print-sharing protocol that ships with Windows, affects Windows Vista, Windows Server 2008 and preview releases of Windows 7. The flaw was first disclosed Sept. 7 and may be used to create a worm, some say. The open-source testing platform Metasploit showcased attack code based on the SMB 2.0 hole on October 4.

Another patch fixes vulnerabilities in the FTP Service in Internet Information Services and was revealed in an advisory on Sept. 3 (975191). These holes affect IIS 5.0, 5.1, 6.0, and 7.0 and could allow remote code execution (RCE) on systems running the FTP Service on IIS 5.0, or a denial of service (DoS) attack on systems running the FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.

The FTP hole caused a stir last month when Microsoft warned users of it, naming it a critical zero-day flaw. At first, the warning was merely intended to alert users that attack software had been developed, but soon after, some security researchers said they saw attacks occurring in the wild. When Microsoft became aware of those attacks, it warned users via a blog post from the Microsoft Security Response Center. It said:

Today we updated Security Advisory 975191 as we are now seeing limited attacks. Additionally, a new proof of concept published allowing for Denial of Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service. This does not require Write access. Also, a new POC allowing DoS was disclosed this afternoon that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits. 

The initial vulnerability was not responsibly disclosed to Microsoft, which has led to limited, active attacks putting customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

More details about the planned October Patch Tuesday can be found here.

Experts at patch vendor Shavlik Technologies say that this could be the biggest Patch Tuesday on record, between the number of updates and the number of total holes addressed.

Like this post? Check out these others. Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) All Microsoft Subnet bloggers on Twitter Julie Bort on Twitter



Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)