Those inclined to see numerological conspiracy every time the number 13 pops up will want to take a deep breath before pondering Microsoft’s release of 13 security bulletins for this Patch Tuesday, which just happened to fall on 10/13/2009. As for myself, I’m always reminded of the superstitions surrounding Friday the 13th, and the famous line from Walt Kelly’s Pogo comic strip — namely, “Friday the 13th done come on a Tuesday” (at least, in this case). Superstition to the side, there’s a lot of important stuff in this set of security bulletins.
You can find several interesting overviews from Microsoft and others on this latest batch of security updates online:
- Microsoft Security Bulletin Summary for October 2009
- Shavlik Security Center Blog: “October Patch Tuesday Overview“
- iTWire “October Patch Tuesday is biggest ever“
Here’s the 10,000 foot view/breathless summary: 13 bulletins, 8 critical (remote code execution) and 5 important, 23 vulnerabilities, and the first-ever security bulletins that involve Windows 7 and Windows Server 2008 R2. There’s a long-awaited fix to SMB issues (MS09-050), a fix to GDI+ (MS09-062), and a cumulative update for IE (MS09-054). You’ll also find a couple of bulletins that address issues related to the Windows Media Runtime and Windows Media Player (MS09-051 and MS09-052, respectively). Active Template Library security issues surface again, with lots of ActiveX killbits stuff in MS09-055, and for ATL Active-X controls in MS Office in MS09-060. Other items address .NET and Silverlight (MS09-061), the Windows Indexing Service (MS09-057), the Windows Kernel (MS09-058, but requires hands-on system access to exploit), CryptoAPI (MS09-056), and the LSASS (MS09-059). Finally there are fixes for the IIS FTP service in MS09-053.
OK, admins: get ready to roll up your sleeves and start pushing patches. There’s some important stuff here, so you’re going to have to figure out what affects your environment, do some testing, and start deploying!