Microsoft next week will release 17 bulletins to patch 40 flaws in various versions of Windows, Internet Explorer...
and Microsoft Office.
The December 2010 bulletins will be released on Tuesday, Dec. 14, and will offer patches for flaws in Microsoft Windows and Office, Internet Explorer versions 6, 7 and 8, SharePoint and Exchange, according to Microsoft's advanced notification, released today.
Of the 17 bulletins, two are rated "critical." These will remedy remote code-execution flaws in Windows XP, Vista and Windows 7, Windows Server 2003 and 2008, and Internet Explorer versions 6, 7 and 8.
The rest of the December patches will address a variety of important and moderate-level remote code-execution, denial-of-service and privilege-escalation problems.
Regardless of which versions of Windows enterprises are running on their endpoints, most organizations will be faced with a number of updates. XP will have 7 updates, Vista 8 updates, and even Microsoft's newest client OS, Windows 7, will get 7 updates. Microsoft is also hoping to fix flaws in Windows Task Scheduler that have been exploited by the Stuxnet bug.
Including the 17 bulletins released for this month, Microsoft will have released a record-breaking 106 patches in 2010.
In a post Thursday on the Microsoft Security Response Center (MSRC) blog, Microsoft's Mike Reavey wrote that the Microsoft December 2010 patches cap off a voluminous year of patches for the software giant.
"This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report," Reavey said. "This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to 10 years.
"Vulnerability research methodologies, on the other hand, change and improve constantly," Reavey added. "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports."
Jason Miller, data and security team leader for New Brighton, Minn.-based patch management vendor Shavlik Technologies Corp., wrote on Shavlik's blog that next week's patch release is a "doozy" that "could be particularly challenging for administrators" not only because of the sheer volume of patches, but also because vacation time among IT staff may alter the normal patching process.
Per usual, Microsoft has also announced the planned release of a new version of the Microsoft Windows Malicious Software Removal Tool on Microsoft and Windows Update, Windows Server Update Services and the Download Center.