Microsoft security update includes IE, Stuxnet repairs

Share this article:

IT administrators on Tuesday received their holiday greetings from Microsoft: a whopper of a security update, comprised of 17 patches to fix 40 vulnerabilities.

The record-setting update, however, only contained two patches labeled "critical." One of those, a bulletin (MS10-090) that addresses seven flaws in Internet Explorer, is considered the highest priority fix as it closes a zero-day vulnerability that has been exploited in the wild.

"Over the weekend, Microsoft saw an uptick in attacks against the vulnerability," particularly targeting users in China and Korea, said Jason Miller, data and security team leader at Shavlik Technologies, a patch management vendor. 

The other critical bulletin (MS10-091) resolves three bugs in the OpenType Font driver on Windows.

"If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel," Miller said. "In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file."

Less pressing for most organizations, but potentially most dangerous of all, is a patch for the last-known Stuxnet flaw – this one used to escalate privileges in conjunction with Stuxnet, the pernicious malware used to attack industrial control systems. Public exploit code had been published.

Administrators are encouraged to consult Microsoft's "Deployment Priority" chart as they apply the patches.

"From a distance, it is large and scary, with 17 bulletins and 40 CVEs," Tyler Reguly, technical manager of security research and defense. "But when you get up close and really start to look at the patches, there isn't really anything to be afraid of."

Flaws targeting widely used applications SharePoint and Exchange are being patched as well, but these don't seem to present much risk of exploit, Reguly said.



Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.