If all goes according to plan, Microsoft will release seven security updates Tuesday -- one for critical vulnerabilities. Here's what some patch management experts told me by email this afternoon:
Marcus Carey, security researcher at Rapid7:
"Bulletin 1, marked as critical, is a vulnerability in Microsoft Office 2003, 2007, and 2010 as well as Word Viewer and Microsoft Office Web Apps. This vulnerability required a victim to open up a malicious file or even preview a malicious file in Outlook Web Access. This vulnerability could result in the complete compromise of a system if exploited. Since this is an Office vulnerability, it may affect both Windows and Macintosh users."
Qualys CTO Wolfgang Kandek:
"After a very light Patch Tuesday last month, Microsoft's Patch Tuesday for October 2012 is again not very substantial. Although there are seven bulletins, only the first one, for Microsoft Office is rated critical. This is not very common for Office vulnerabilities and typically indicates that no user interaction, such as opening an affected file, is required to trigger the vulnerability. The bulletin applies to all versions of Office on Windows from 2003 to 2010 and should be applied as quickly as possible.
"The remaining six bulletins are all rated important. Three of them affect components of the Office family but will only affect a subset of all organizations, as they are probably not very often installed. Bulletin 2 brings a patch for a Remote Code Execution vulnerability in Works 9, Bulletin 3 addresses Infopath and Sharepoint, and Bulletin 4 is an update to Fast Search for Sharepoint. Bulletin 5 and 6 are both local Elevation of Privilege vulnerabilities for Windows that can be used to gain administrative privileges but would require an attacker to be already present on the machine. Lastly, Bulletin 7 is an update for all versions of MS-SQL Server and similarly addresses a local Escalation of Privilege vulnerability."
Alex Horan, senior product manager, CORE Security:
“Certainly more tricks than treats in this month’s update. When you look at these patches in isolation, they don’t seem as though they are that significant. And that’s the mistake a lot of companies make, the desktop folks fix the desktop patches, the SQL group fixes the SQL patches. People work in vacuums. However, when you look at all of them holistically, you can see that a clear path is being formed that would allow hackers to work their way in from outside the network to the inside and seize control rather easily. This would be the first step in them having the ability to cause destruction or create a denial of service attack on a very large scale.
"Secondly, these patches highlight the amount of code that is being reused. Bulletin 7 involves code reused in versions since 2000. That’s 12 years of reused, and now vulnerable code. When you look at the number of versions that are affected you quickly come to the determination that these vulnerabilities have existed for quite a long period of time and have potentially been abused without user knowledge throughout several generations of the software.”