Microsoft Patch Tuesday is coming up next week, and the company has provided a brief preview of what channel partners and IT administrators can expect.
The October edition of Patch Tuesday includes seven bulletins, only one of which is listed as critical.
"Seven is a pretty normal number for bulletins now," said Wolfgang Kandek, CTO of Qualys. "But if you look a little bit deeper, it looks very light to me, which I think is a good thing for IT administrators. Bulletin No. 1 is classified as critical and is about Microsoft Office. All versions of Office are affected, so that is the one that people should focus on primarily."
Because Microsoft Office is so pervasive, this update will impact a lot of users, including companies of all sizes and even individual home users.
"Bulletin No. 1 is critical because it can lead to remote code execution," said Marcus Carey, security researcher at Rapid7.
"From what I understand, if you use Outlook Web Access, even in preview mode, it can compromise your system. This bulletin might very well affect Mac users too, so I am recommending that Mac users pay particular attention to this upcoming Patch Tuesday. They should apply that one as quickly as possible because it is rated critical."
"For all these Office bugs, a lot of them are about fending off spear phishing attacks. In No. 2, it's your typical spear fishing incident in which people have to open up a malicious Word document in order for the bug to activate. It's the same situation in No. 3, 4 and 5, which are about elevation of privilege and remote code executions. No. 5 is an escalation of privilege."
Bulletin No. 6 focuses on a denial of service issue that impacts Microsoft Windows. Bulletin No. 7 is described by Carey as a cross-site scripting bug for SQL Server.
Cross-site scripting (XSS) is a type of browser attack that injects client-side scripts into web pages that are intended to be viewed by the targeted individuals. The objective is usually to bypass access controls or make similar changes to policy.
"There are also a number of other bullets around the Office family, but a lot of them pertain to software that is not that widely installed, such as Works," added Kandek. "But all of these are listed as important, which means that they don't allow an attacker to take over your machine. That's the primary difference between important and critical."
Also on Tuesday, Microsoft will activate its new policy that invalidates any certificate with encryption of 1,024 bits or less.
"It has been considered bad form to use certificates with such a short key length," said Qualys' Kandek. "In our research, we have only detected two certificates of that type. The impact is that you would expect to see an Internet Explorer warning when you go to a site that has a weakly encrypted certificate. But, I don't expect this to cause any large-scale issues."
This shift in policy is directly related to Flame malware, which has the capability of exploiting short encryption and certificates.