Microsoft released 16 security bulletins Tuesday to repair 49 security vulnerabilities, including six critical
ones, in a record-setting patch release.
The massive update includes critical fixes for Internet Explorer, Windows and the Microsoft .NET Framework. It also includes an update to fix a vulnerability exploited by the Stuxnet Trojan, malware that seeks out Siemens industry control system software.
Tuesday's patch release breaks the previous record of 34, which was first set in October 2009 and matched in August, according to McAfee.
A cumulative update for Internet Explorer, MS10-071 repairs 10 security vulnerabilities, the most severe of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer, according to Microsoft.
The vulnerabilities are easy for attackers to exploit, said Wolfgang Kandek, chief technology officer at Redwood Shores, Calif.-based Qualys Inc. "This is what you might want to patch as quickly as possible," he said.
MS10-076, which fixes a vulnerability in a Windows component -- the Embedded OpenType (EOT) Font Engine -- also is easily exploited by attackers because it doesn't require a lot of interaction by the user, Kandek said. Microsoft said an attacker who exploits the flaw could take complete control of a system remotely.
Jason Miller, data and security team manager at Saint Paul, Minn.-based patch management firm Shavlik Technologies, said MS10-071 and MS10-076 are the two bulletins that should raise an alarm for administrators. It's critical to patch any Web browser vulnerability quickly because malicious websites that exploit unpatched browsers are a common attack vector, he said. EOT is commonly font used on webpages, he noted.
Rated by Microsoft as "important," MS10-073 repairs several vulnerabilities in the Windows kernel-mode drivers, including an elevation of privilege vulnerability related to Stuxnet. According to Microsoft, an attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.
Kandek said Stuxnet used the flaw to get administrator privileges on a system and take control of it. Tuesday's update fixes the vulnerability in Windows XP but not Vista, he said. Microsoft said it will release a second and final update to repair elevation of privilege vulnerabilities exploited by Stuxnet in an upcoming bulletin.
Microsoft's September update included a fix for a critical print-sharing vulnerability actively targeted in the wild by the Stuxnet Trojan outbreak in July. The company also issued an emergency patch July 30 to repair a zero-day vulnerability in the Windows Shell that was being used by Stuxnet.
Stuxnet's sophistication has impressed security researchers, Kandek said. It adapts to different situations using a blend of vulnerabilities, he said. "It's very smartly put together."
MS10-077, rated as "critical," fixes a vulnerability in Microsoft .NET Framework that could allow remote code execution on a client system if a user views a malicious webpage using a Web browser that can run XAML Browser Applications (XBAPs), Microsoft said. Shavlik's Miller noted that the flaw only affected 64-bit operating systems.
Overall, this month's security bulletins from Microsoft affect only older software, Miller said. For example, the Internet Explorer 7 and 8 are not affected by the security vulnerabilities addressed in the cumulative IE patch. He recommended organizations upgrade to newer software, if possible.
With Tuesday's update, Microsoft has released 86 security bulletins so far this year, compared to a total of 74 last year, he said.