Microsoft has announced that it plans to release eight patches next week as part of its October Patch Tuesday release, addressing flaws in its Windows, the .NET Framework, Office, Server, Silverlight and most importantly its Internet Explorer browser.
Four of the patches are marked critical, including the first one that should address a nasty zero day flaw that’s been affecting all versions of Internet Explorer over the last month or so. Microsoft initially released a FixIt tool for the vulnerability three weeks ago after reports of the exploit were seen in the wild but this is the first patch for the issue the company will ship to users.
The flaw stems from the way that IE “accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” according to an advisory Microsoft released in mid-September.
It didn’t take long for the public to take advantage of the vulnerability’s leaked exploit code. On the same day that Metasploit developed a module for the vulnerability, news came that three new targeted attack campaigns were using the exploit vector.
Despite the increase in attacks, Microsoft has apparently elected to stick to schedule for the contentious bug and not fix it with an out-of-band patch.
Regardless of the timeline, according to several experts, this patch should be the number one issue for users and IT professionals on Tuesday.
“Users should apply a patch ASAP,” Lamar Bailey, the Director of Security Research and Development for network security company Tripwire, said Thursday.
The other three critical updates (Bulletins 2-4) will fix issues elsewhere in Windows, from Windows XP to Windows 8 and Windows RT.
Meanwhile, the Microsoft Office updates (Bulletins 5-7) fix important flaws in SharePoint, Excel and Word, accordingly.
All of the vulnerabilities could lead to remote code execution, save for the last flaw, the most minor, that fixes an information disclosure flaw with its Silverlight application framework.
This of course marks the 10th year of Microsoft’s Patch Tuesday flaw remediation program. The move – at least in the words of Andrew Storms on Wednesday – would create a “great wave of change” in the information security industry from that point on.
