Microsoft on Tuesday issued a record 16 security bulletins that address 49 vulnerabilities. The problems affect Microsoft Office, Windows, Internet Explorer, and the .NET Framework. Microsoft only rated six of the 49 vulnerabilities critical.
"Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all," said Joshua Talbot, security intelligence manager for Symantec Security Response. "Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines."
Talbot pointed out that one of the two remaining Stuxnet-related zero-day vulnerabilities was fixed with Tuesday's release. Stuxnet uses the Win32 keyboard layout vulnerability to gain administrator privileges on infected systems. This ensures that malicious actions won't be blocked on targeted systems.
"The vulnerability addressed in the Embedded OpenType Font Engine is perhaps the most likely to be widely exploited," Talbot said. "Similar vulnerabilities have seen extensive exploitation in the past. Since this particular issue affects so many Windows operating systems and can be exploited via a web browser, it's likely to get the immediate attention of attackers."
Remember To Upgrade
Andrew Storms, director of security operations at nCircle, said it's possible that Microsoft will hit the triple-digit mark for bulletins in 2010. As he sees it, "another 14 bulletins over the next two months seems more than likely." This month, he added, it's more important than ever to prioritize the release. He agreed with Talbot that the Embedded OpenType bugs should top the list.
Tyler Reguly, lead security engineer for nCircle, said when you mix in IIS client-side certificates, Office web apps, and Windows Media Home Sharing, it's a rather eclectic collection of affected products.
"The most important message this month is 'upgrade,'" Reguly said. "This month should be a wake-up call for anyone still running Office XP; the number of vulnerabilities affecting only that product are a clear indicator that it's time to upgrade to a newer version, perhaps Office 2010, which has only a single CVE affecting it."
Security Patches Galore
For all the talk about Microsoft's record-breaking release, it seems minuscule compared to Oracle's patch release for 81 flaws, 31 of which are remotely exploitable without authentication, said Paul Henry, security and forensic analyst for Lumension. (continued...)