Microsoft security update includes IE, Stuxnet repairs

Share this article:

IT administrators on Tuesday received their holiday greetings from Microsoft: a whopper of a security update, comprised of 17 patches to fix 40 vulnerabilities.

The record-setting update, however, only contained two patches labeled "critical." One of those, a bulletin (MS10-090) that addresses seven flaws in Internet Explorer, is considered the highest priority fix as it closes a zero-day vulnerability that has been exploited in the wild.

"Over the weekend, Microsoft saw an uptick in attacks against the vulnerability," particularly targeting users in China and Korea, said Jason Miller, data and security team leader at Shavlik Technologies, a patch management vendor. 

The other critical bulletin (MS10-091) resolves three bugs in the OpenType Font driver on Windows.

"If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel," Miller said. "In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file."

Less pressing for most organizations, but potentially most dangerous of all, is a patch for the last-known Stuxnet flaw – this one used to escalate privileges in conjunction with Stuxnet, the pernicious malware used to attack industrial control systems. Public exploit code had been published.

Administrators are encouraged to consult Microsoft's "Deployment Priority" chart as they apply the patches.

"From a distance, it is large and scary, with 17 bulletins and 40 CVEs," Tyler Reguly, technical manager of security research and defense. "But when you get up close and really start to look at the patches, there isn't really anything to be afraid of."

Flaws targeting widely used applications SharePoint and Exchange are being patched as well, but these don't seem to present much risk of exploit, Reguly said.



Share this article:

Sign up to our newsletters

More in News

Phishing campaign targeting users of Bitcoin wallet Blockchain.info

More than 12,000 messages have been sent to more than 400 companies as part of a phishing campaign targeting users of Bitcoin wallet Blockchain.info.

AOL announces that it does not follow 'Do Not Track' requests

Eight months after the enactment of a new California privacy law, AOL clarified that it does not respond to web browsers' "Do Not Track" requests.

Experts discover history of malware infections on network of Community Health Systems

Following a major breach at the hospital provider, security experts analyzed its network and discovered malware infections dating back to January.