Microsoft today issued 10 patches, plugging 26 holes, including three zero-day vulnerabilities on Windows, Office and Internet Explorer (IE).
This is the highest number of flaws Microsoft has ever addressed on a Patch Tuesday, security experts said today. Several of the vulnerabilities were either publicly exploited or there was proof-of-concept code available prior to today's update.
"What's most interesting to me about this drop is that so many issues were being exploited in the wild before Microsoft had an opportunity to patch them," ISS security researcher Tom Cross, a member of the X-Force team, told SCMagazine.com today. "There are definitely a lot of folks out there interested in installing malware on people's PCs…and using those things to commit crimes."
Of the vulnerabilities, 15 are labeled critical, highlighting a continued trend toward the exploitation of holes in client-side web browsers and applications. Four of the patches address vulnerabilities in Microsoft Office components, including Word, Excel and PowerPoint, which could lead to remote code execution.
Critical patches also remedied an ASP.NET cross-site scripting flaw and a Windows Shell IE bug – which could cause spyware to be downloaded on a user's PC after visiting a malicious website.
"This vulnerability is particularly critical because it allows remote code execution from any infected website," said Minoo Hamilton, senior security researcher for nCircle. "Critical IE vulnerabilities are the norm these days, we expect at least one every month. These are fantastic for the bad guys – many enterprises still rely heavily on IE."
Another patch fixed a vulnerability in IPv6 (internet protocol version 6), which could permit DoS attacks. Cross said administrators should pay particular attention to that flaw, even though it is considered a low threat, because it could be exploited even if companies have IPv6 enabled but not running.
Enterprises should deploy all the patches immediately, experts said.
"The quantity of Microsoft Office vulnerabilities this month illustrates this emerging attacker focus, and users should consider the installation of these patches to be a critical component to a smart security strategy," said Oliver Friedrichs, director of Symantec Security Response.
"Vulnerabilities in Microsoft Windows, Internet Explorer and Office may allow an attacker to access your computer, install and run malicious software on your computer or cause it to crash," according to a cybersecurity alert issued today by U.S.-CERT. "An attacker could exploit these vulnerabilities by using specially crafted network traffic, by convincing you to click on a specially crafted URL or by convincing you to open a specially crafted Office document."
Double-digit patches have become the norm in recent months for Microsoft as a trend continues in which hackers post proof-of-concept code shortly after Patch Tuesday, thus buying the malicious community nearly a month before Microsoft issues a fix. Sometimes, however, the problem becomes so widespread that action must be taken.
Late last month, the Redmond, Wash. software giant issued a rare out-of-cycle patch for a much publicized zero-day IE vulnerability caused by an error in the processing of vector markup language (VML).
Microsoft had announced last week it planned to issue 11 patches today but removed one after discovering "an issue in our testing…in one of the Windows Updates," a company spokesman said today. That fix will undergo additional testing and is scheduled to be part of the next release cycle, scheduled for Nov. 14.