Microsoft security update includes IE, Stuxnet repairs

Share this article:

IT administrators on Tuesday received their holiday greetings from Microsoft: a whopper of a security update, comprised of 17 patches to fix 40 vulnerabilities.

The record-setting update, however, only contained two patches labeled "critical." One of those, a bulletin (MS10-090) that addresses seven flaws in Internet Explorer, is considered the highest priority fix as it closes a zero-day vulnerability that has been exploited in the wild.

"Over the weekend, Microsoft saw an uptick in attacks against the vulnerability," particularly targeting users in China and Korea, said Jason Miller, data and security team leader at Shavlik Technologies, a patch management vendor. 

The other critical bulletin (MS10-091) resolves three bugs in the OpenType Font driver on Windows.

"If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel," Miller said. "In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file."

Less pressing for most organizations, but potentially most dangerous of all, is a patch for the last-known Stuxnet flaw – this one used to escalate privileges in conjunction with Stuxnet, the pernicious malware used to attack industrial control systems. Public exploit code had been published.

Administrators are encouraged to consult Microsoft's "Deployment Priority" chart as they apply the patches.

"From a distance, it is large and scary, with 17 bulletins and 40 CVEs," Tyler Reguly, technical manager of security research and defense. "But when you get up close and really start to look at the patches, there isn't really anything to be afraid of."

Flaws targeting widely used applications SharePoint and Exchange are being patched as well, but these don't seem to present much risk of exploit, Reguly said.



Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.