IT administrators on Tuesday received their holiday greetings from Microsoft: a whopper of a security update, comprised of 17 patches to fix 40 vulnerabilities.
The record-setting update, however, only contained two patches labeled "critical." One of those, a bulletin (MS10-090) that addresses seven flaws in Internet Explorer, is considered the highest priority fix as it closes a zero-day vulnerability that has been exploited in the wild.
"Over the weekend, Microsoft saw an uptick in attacks against the vulnerability," particularly targeting users in China and Korea, said Jason Miller, data and security team leader at Shavlik Technologies, a patch management vendor.
The other critical bulletin (MS10-091) resolves three bugs in the OpenType Font driver on Windows.
"If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel," Miller said. "In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file."
Less pressing for most organizations, but potentially most dangerous of all, is a patch for the last-known Stuxnet flaw – this one used to escalate privileges in conjunction with Stuxnet, the pernicious malware used to attack industrial control systems. Public exploit code had been published.
Administrators are encouraged to consult Microsoft's "Deployment Priority" chart as they apply the patches."From a distance, it is large and scary, with 17 bulletins and 40 CVEs," Tyler Reguly, technical manager of security research and defense. "But when you get up close and really start to look at the patches, there isn't really anything to be afraid of."
Flaws targeting widely used applications SharePoint and Exchange are being patched as well, but these don't seem to present much risk of exploit, Reguly said.
