Microsoft is planning a bumper Patch Tuesday next week — 13 bulletins covering 34 security vulnerabilities in a wide range of products. Eight of the 13 bulletins will be rated “critical,” Microsoft’s highest severity rating.
According to Microsoft’s advance notice, the patches coming on October 13 includes fixes for two serious issues that are well-known and already documented — a code execution bug in SMB v2 and a gaping hole in FTP in IIS.
Affected products include Microsoft Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft Forefront, Developer Tools, and SQL Server.
The most serious issue being addressed is the SMB v2 flaw that exposes users to remote code execution attacks. Exploit code that provides a roadmap to launch attacks have been publicly released into the Metasploit Framework and into Immunity’s Canvas pen-testing platform.
Although only one documented issue is known, It appears Microsoft will be fixing multiple “vulnerabilities” in its implementation of the SMB v2 protocol.
The FTP in IIS vulnerability, first exposed in early September, is finally getting fixed. That flaw, which affects IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003), has been under attack for a few weeks.