Microsoft patches third Stuxnet vulnerability; critical bugs affect IE and Windows

Microsoft delivers record Patch Tuesday with 16 updates for 49 vulnerabilities

Microsoft today fixed a third vulnerability used by the notorious Stuxnet malware, leaving just one unpatched vulnerability related to a worm that may have been developed to attack Iran's nuclear program

But for most home and business users, today's Patch Tuesday security update is worth paying attention to for other reasons. The Stuxnet bug patched today "could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application," and affects "all supported editions of Microsoft Windows," Microsoft said. But the patch was rated only as "important," whereas four other patches were rated as critical, the most severe classification.

Microsoft kills security updates, support for Windows 2000, XP Service Pack 2

MS10-071 may be the most dangerous vulnerability patched today, according to Amol Sarwate, a security researcher for Qualys. The patch is rated critical for Internet Explorer 6, 7 and 8 in part because the problem it solves could allow remote code execution when a user simply views a specially crafted Web page.

"The criticality is high and also the likelihood of seeing an exploit is high as well," Sarwate says.

Sarwate also singled out Security Bulletin MS10-076, which affects a component called the Embedded OpenType (EOT) Font Engine in many versions of Windows, including Windows 7 on the desktop and Windows Server 2008 R2 in the data center.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely," Microsoft said. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The other two critical patches are MS10-075, which is related to a vulnerability in Windows Media Player; and MS10-077, which is related to a problem with the .NET Framework. Both could allow remote code execution.

Overall, Microsoft delivered 16 security updates covering 49 vulnerabilities, both of which are records. Microsoft has released 86 security bulletins so far in 2010, exceeding the number reported in each of the previous three years, according to Shavlik Technologies.

In terms of Stuxnet, this is the third consecutive month in which Microsoft has patched a vulnerability related to the worm, which "was undoubtedly created by professionals who've got a thorough grasp of antivirus technologies and their weaknesses," according to Kaspersky Lab.

One more elevation of privilege vulnerability related to Stuxnet has still not been patched.

Research into Stuxnet continues. "People are still finding some small things here and there, but nothing big enough to be zero-days," according to Sarwate. "There is one more zero-day patch that still needs to be fixed. I hope that's the end of it."

Sarwate chalks up the rising number of reported vulnerabilities to the fact that more researchers on both the good and evil sides of the equation are examining software and looking for attack points.

Because of the large number of patches in this month's security update, it could take a while to roll them out across a large enterprise. Eight of the 16 updates require restart, and the other eight may require restart.

"The key is to prioritize your patches because these patches do take some time in a large organization," Sarwate says.

Some other tidbits from Patch Tuesday:

  • Office 2010 was patched for the first time, and older versions of Office are showing their age with numerous vulnerabilities. "This month should be a wakeup call for anyone still running Office XP, the number vulnerabilities affecting only that product are a clear indicator that it's time to upgrade to a newer version, perhaps Office 2010," says Tyler Reguly, Lead Security Engineer for nCircle.
  • Out of the 16 security bulletins, nine are "likely" to see a code execution exploit developed. One (the Stuxnet worm) is already being used in the wild.
  • Microsoft issued more than 20 thank you notes to researchers who reported security issues, including three to Google employees. Earlier this year, Microsoft accused Google of putting Windows customers at risk by publishing exploit code.
  • 35 of the 49 vulnerabilities could allow remote code execution, according to Symantec. "The vulnerability addressed in the Embedded OpenType Font Engine is perhaps the most likely to be widely exploited," Symantec security researcher Joshua Talbot commented. "Similar vulnerabilities have seen extensive exploitation in the past. Since this particular issue affects so many Windows operating systems and can be exploited via Web browser, it's likely to get the immediate attention of attackers."

nCircle security director Andrew Storms agreed that applying this month's security updates could be a challenge for IT administrators.

"This month it's more important than ever to be able to prioritize the release," Storms commented. "The Internet Explorer bulletin along with the Embedded OpenType bug fixes should make it to the top of the list for everyone because they can both be used for dangerous drive-by attacks. Consumers and corporate enterprise teams must make sure these patches get installed as quickly as possible."

To help customers prioritize patches, Microsoft released the following chart

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT