Here is a quick recap of a fun-filled patch week.
The October 2012 edition of Patch Tuesday brought seven new security bulletins. In addition, Microsoft released a new security advisory (2749655). This new security advisory is related to an issue where Microsoft patches (and the files contained in the patches) have been signed with a bad digital signature. The signature contains a timestamp that will expire early in 2013.
With the timestamp issue, Microsoft needed to re-release four security bulletins. These security bulletins contain the same files and vulnerability fixes as the original release of the bulletin. These bulletins will need to be reapplied to systems to ensure the invalid timestamp will not be an issue next year. The following security bulletins were re-released by Microsoft to address the timestamp issue:
With the re-released security bulletins, only patches that apply to Microsoft operating systems Windows Vista and higher need to be reapplied to systems (Windows Vista, 2008, 7, 2008 R2). Earlier Microsoft operating systems (Windows XP, 2003) do not need to have the patches reapplied to the system.
With the seven new October Microsoft security bulletins, one Microsoft out-of-band security bulletin and the four re-released security bulletins, the total count of Microsoft security bulletins that will need to be addressed this month is up to 12. (And some people say a Patch Tuesday is cut-and-dry, tired-and-true and run-of-the-mill).
But wait, there is more! The documentation coming from Microsoft regarding the timestamp issue was quite thorough on Microsoft security patches in their knowledge base article and blog statements. Microsoft also re-released non-security updates with the timestamp issue. We found the following non-security updates were also released by Microsoft to fix the timestamp issue:
Is there more with this timestamp issue? Why yes there is! These non-security patches stated above are publicly available patches. These types of patches can be easily obtained from the Microsoft Download Center or through WSUS/Windows Update.
Microsoft also released non-public non-security updates. These updates are similar to the publicly available updates. These patches also fix non-security issues with Microsoft products, but the patches can only be obtained by calling Microsoft. Microsoft will release these patches to customers if they are experiencing the issue fixed in the patch. If administrators have contacted Microsoft and obtained one of the non-public patches, they will need to contact Microsoft again to get the new version of the patch with the correct timestamp applied to it. This part is important as non-public patches will not show up in a patch management product.
On to the non-Microsoft side this week, there were some other notable patch releases:
Adobe Security Bulletin APSB12-22 – Monday
Adobe released an update to address 25 vulnerabilities to their Adobe Flash Player 10/11 and Adobe Air 3.4.
Google Chrome 22.0.1229.92 – Monday
With every security release of Adobe Flash, Google releases a new version of their Chrome browser. This browser bundles Adobe Flash with the installation. This new version of Chrome also contains multiple vulnerabilities fixes for Chrome itself.
Microsoft Security Advisory 2755801 – Monday
This security advisory is a re-release issuing a new version of the Adobe Flash Player for Internet Explorer 10 on Windows 8 / Server 2012. Similar to Google Chrome, Microsoft is now bundling Adobe Flash Player in the installation of Internet Explorer 8. This release marks the first time the security advisory release has been in conjunction with an Adobe and Google release for Flash Player.
Mozilla Firefox 16.0 / Thunderbird 16.0 / SeaMonkey 12.3 – Tuesday
Mozilla released critical security updates for their products after a month of no updates. These updates were quickly pulled from availability as a critical vulnerability was introduced with the new updates.
Notepad++ 6.2.0 – Tuesday
TortoiseSVN 1.7.10 – Tuesday
Google Chrome 22.0.1229.94 – Wednesday
Google released an update to address a critical vulnerability in a short time period. This vulnerability was highlighted in the Pwnium 2 contest just one day earlier.
Mozilla Firefox 16.0.1 / Thunderbird 16.0.1 / SeaMonkey 12.3.1 – Thursday
Two days after releasing a new update that introduced a critical vulnerability, Mozilla released updates for all of the affected products.