Microsoft on Tuesday released 14 patches, eight deemed “critical,” to cover 34 vulnerabilities across its product line.
The security update sets a record for the most number of fixes ever released and ties a record, set in June, for the most number of flaws. The bugs reside in Windows, Office, Internet Explorer, Silverlight, XML Core Services and Server Message Block. None have been exploited in the wild, according to Microsoft.
The software giant listed four bulletins as high priority for organizations to deploy. Two of them — MS10-052 and MS10-055 — address vulnerabilities in codecs that could result in malicious code execution if users are tricked into viewing a specially crafted media file. MS10-052 only affects Windows XP and Server 2003.
“It’s another movies-to-malware month for Microsoft,” said Andrew Storms, director of security operations at vulnerability management firm nCircle. “So much of what people do on the internet these days includes videos or music, and malware writers continue to take advantage of the fact that people are less aware of malware embedded in these files.”
Microsoft also listed MS10-056, which addresses four Office vulnerabilities, as a high-priority patch. Of the flaws, some could permit the execution of remote code if a user opens or previews a maliciously crafted RTF (rich text format) email. Vista and Windows 7 users are less at risk due to certain mitigations built into the platforms.
Administrators also should be sure to quickly deploy MS10-060, which resolves two flaws in the .NET Framework and Silverlight web application framework. Version 4 of each program is not impacted.
But according to researchers, another bulletin actually may turn out to be the most dangerous if hackers are able to successfully reverse engineer its details. MS10-054 repairs flaws in the Server Message Block (SMB) Server. The most severe of the bugs, according to Microsoft, “could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system.”
“The SMB pool overflow vulnerability should be a real concern for enterprises,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “Not only does it give an attacker system-level access to a compromised SMB server, but the vulnerability occurs before authentication is required from computers contacting the server. This means any system allowing remote access and not protected by a firewall is at risk.”
Only one of the 14 patches fixed an issue that had been publicly known.
MS10-049 fixed a vulnerability affecting the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocol, first reported last year. The bug could have permitted a man-in-the-middle attack “to introduce and execute a request in the protected TLS/SSL session between a client and a server,” according to Microsoft’s advisory in February.
Meanwhile, Microsoft released a new advisory on Tuesday to address a privilege-escalation vulnerability impacting the Windows Service Isolation feature.