Microsoft on Tuesday shipped 16 patches for a record-setting 49 vulnerabilities affecting Windows, Internet Explorer, Office and the .NET Framework.
Six of the 49 flaws garnered a “critical” rating from Microsoft.
Three of the 16 bulletins accounted for 34 of the vulnerabilities. Most security experts deemed bulletin MS10-071, which provides a cumulative security update for 10 bugs in Internet Explorer (IE), and MS10-076, which addresses a single vulnerability in the Embedded OpenType Font Engine, as the most high-priority fixes. Both can be exploited to execute remote code.
Only one of the IE vulnerabilities impacts the newest version of the browser, IE 8. The latter bulletin, meanwhile, corrects an issue “in the way Windows handles fonts and can be triggered by a simple malicious web page without interaction from the user, making it a good candidate for a drive-by [download] infection campaign,” wrote Wolfgang Kandek, CTO of vulnerability management firm Qualys, in a Tuesday blog post.
The vulnerability is being leveraged in active attacks, Carlene Chmaj, security response senior communications manager at Microsoft, told SCMagazineUS.com on Tuesday.
Two other low-priority fixes address issues in the popular Office program, Kandek said. Both permit remote code execution, but for the vulnerabilities to be exploited, users must be tricked into opening a malicious file.
Tuesday’s update also closes one of the two remaining zero-day, privilege-escalation vulnerabilities being leveraged by Stuxnet attackers, according to security researchers. Stuxnet is a pernicious worm that has been used to attack critical infrastructure facilities, mainly in Iran, India and Indonesia.
“Stuxnet uses the Win32 Keyboard Layout Vulnerability to gain administrator privileges on infected computer systems,” Joshua Talbot, security intelligence manager at Symantec Security Response, said. “This functionality ensures that none of the threat’s malicious actions get blocked on targeted systems due to lack of permission.”
Jason Miller, data and security team leader at security firm Shavlik Technologies, said IT pros shouldn’t necessarily be surprised by the seeming rising number of bugs being patched each month by Microsoft. Before this month, the previous patch batch record was set two months ago, when Microsoft pushed out fixes for 34 flaws.
“There are a couple of factors that are coming into play for this,” Miller said. “First, Microsoft is the grandfather of patching and has spent years refining their process to develop the mature patching process we see today. Second, Microsoft is working closer than ever with security researchers in their Coordinated Vulnerability Disclosure program [announced in July]. By working with researchers, Microsoft is closing the gap on the time to release fixes for vulnerabilities found.”
Still outstanding is a patch to resolve a new attack vector, involving a class of vulnerabilities, known as DLL preloading, that can be used to infect PCs when an application is tricked into loading a malicious library.