Three of the bulletins earned the highest severity level of “critical," while the rest were rated “important.”
This month's update closes two publicly known issues involving SharePoint and Internet Explorer (IE), according to Microsoft.
Bulletin MS10-035 closes six vulnerabilities in IE, including the zero-day, which was disclosed in February and can result in information disclosure. The bug can be exploited on machines running Windows XP or those that have disabled IE's Protected Mode.
IE is one of the most targeted applications for attackers, so this bulletin should be a main priority, Jason Miller, data and security team manager at Shavlik Technologies, told SCMagazineUS.com on Tuesday.
“IE is a hotbed for exploits,” he said.
Bulletin MS10-033, also rated critical, addresses two vulnerabilities in Windows that could lead to remote code execution. The bulletin affects Windows Media, which is common among social networking applications, Miller said. The vulnerabilities could be exploited by opening a specially crafted media file or connecting to a malicious server.
“Patches for MS10-035, which includes public vulnerabilities, and MS10-033 should probably be highest on most people's priority lists because they include at least one public vulnerability and are likely to see published exploits in the next couple of weeks,” Tyler Reguly, senior security engineer for vulnerability management firm nCircle, said in a statement Tuesday.
The final critical bulletin, MS10-034, addresses two vulnerabilities in Windows.
Of the remaining patches, MS10-039 addresses the zero-day SharePoint bug, which was disclosed to Microsoft in early April by Swiss security firm High-Tech Bridge, along with two other vulnerabilities in Windows and Office. The SharePoint flaw could allow hackers to elevate privileges and steal sensitive data.
One patch in particular could cause some extra work for IT administrators this month, Miller said. Bulletin MS10-036, which addresses a single vulnerability in Office and was rated “important,” does not support vulnerable Office XP systems.
“You need to be out there looking for those Office XPs and make a decision about how to get rid of this vulnerability,” Miller said.
Microsoft has issued a workaround “Fix It” tool, which is not a patch, but will implement protective measures to mitigate the vulnerability in Office XP. Alternatively, IT administrators can upgrade Office installations to Office 2003 or 2007 as Microsoft has supplied patches for those products.
Those closely following Microsoft's monthly security updates may have started to notice a pattern emerge with respect to the number of patches doled out month to month, Miller said. The software giant has, for about the past year, been alternating between light and heavy patch months. Last month, for example, Microsoft pushed out just two bulletins.
“Microsoft typically goes few, many, few, many," Miller said. "It bounces every month, so we were expecting this month to be big. Next month will be a lower month.”
Meanwhile, Microsoft is using the monthly update to remind customers that it plans to end support for Windows 2000 and Windows XP SP2 on July 13.