Microsoft released a record-breaking security update on Tuesday, patching 64 vulnerabilities with 17 bulletins -- nine labeled "critical" and eight deemed "important."
The software giant and most vendor experts agreed that MS11-018, which resolves five flaws in Internet Explorer, rates as the highest-priority fix because of limited attacks underway against two of the vulnerabilities and the ease by which further exploits could take shape. One of the bugs became publicly known after it was demonstrated at CanSecWest's Pwn2Own hacker competition in Vancouver last month.
Internet Explorer 9 is not affected by the flaws, which can spread if a user visits a malicious web page.
The former addresses one publicly known and one privately reported flaw, both client-side, in the Windows Server Message Block (SMB).
The latter addresses a server-side SMB bug, which has some observers wondering if, left unpatched, it could lead to a "wormable" exploit, similar to the Conficker outbreak of 2009.
"Attackers can send a specially crafted packet to a server running this file-sharing service and take control of the machine," explained Wolfgang Kandek, CTO of vulnerability management firm Qualys. "Companies that make SMB accessible over the internet are especially at risk. However, the main attack opportunity is going to be inside of enterprise networks, once an attacker has established a presence on the network."
Among the other patches, Microsoft filled a zero-day hole in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents. The flaw, rated important, has been abused in “limited, targeted attacks," Microsoft has said.
With the update, the software giant also released the Office File Validation tool, announced in December, which helps to block malware cloaked as a legitimate Office document, a common technique used by virus writers. A rootkit evasion tool also was part of the update.
No matter which way one slices it, administrators will have their hands full with Tuesday's update. The previous record for vulnerabilities addressed in one month was 49, back in October.
"Business users need to have a risk management strategy in place to prioritize the patches," said Dave Marcus, director of security research and communication at McAfee Labs.