Microsoft on Tuesday pushed out 11 patches for 25 vulnerabilities.
Two of the fixes — MS10-020 and MS10-022 — correct previously known vulnerabilities, one a flaw in VBScript, which could permit attackers to execute remote code on victim machines, and the other a denial-of-service bug in Server Message Block, disclosed in November.
But on Tuesday the software giant identified three other patches — MS10-019, MS10-026 and MS10-027 — as the major priorities, Jerry Bryant, group manager of response communications at Microsoft, said in a blog post.
MS10-019, which resolves two vulnerabilities, affects all Windows versions and can allow an attacker to change PE (portable executable) and CAB (cabinet) files to add malicious content, without invalidating the digital signature.
"It is very common to rely on a digital signature to verify the integrity of the file," explained Jason Miller, data and security team leader at Shavlik Technologies, provider of vulnerability management products. "If the signature is valid, the file came from the original source, making this a simple and secure process. However, with this vulnerability, attackers can trick people into thinking the file is valid."
MS10-026 corrects a critical bug on Windows 2000, XP, Server 2003 and Server 2008. The vulnerability can be exploited via drive-by download by tricking the user into visiting a web page streaming a malicious AVI file. In a similar scenario, MS10-027 rectifies a flaw in Windows Media Player that can be exploited by directing someone to an infected website.
"If you put these fixes together with Apple's recent patch of QuickTime, it's pretty obvious that attackers are finding a lot of victims through video," said Andrew Storms, director of security operations at nCircle, a vulnerability management firm.
Meanwhile, MS10-021, graded either "important" or "moderate" depending on which version of Windows one is running, closes privilege-escalation vulnerabilities in the Windows kernel. The fix is similar to a patch distributed in February that temporarily was sidelined after it resulted in a denial-of-service condition when installed by users whose machines are infected with a rootkit known as Alureon. That patch eventually was reinstated, and for now on, similar fixes include "detection logic for unusual conditions or modifications to Windows kernel binaries," Bryant said.
One vulnerability is Windows 2000 specific. MS10-025 closes a Windows Media Services bug that can be exploited to execute remote code. Bryant recommended moving this patch up in the deployment list for companies with large deployments of the oldest supported Windows platform.