Microsoft ends record security year with huge Patch Tuesday

Internet Explorer, Stuxnet flaws fixed by Microsoft

Microsoft's security team broke all sorts of records for issuing patches this year, and 2010's final Patch Tuesday was the biggest one of all.

"Microsoft is ending this year on a high note, with their highest number of bulletins ever," nCircle director of security operations Andrew Storms notes. "With a record 17 bulletins ... we are getting a huge number of individual bug fixes."

Microsoft patches Windows XP flaw that aided Stuxnet worm

With today's update, Microsoft has issued 106 security bulletins patching a total of 266 vulnerabilities in 2010, both of which are also records for the company. Whether this is due to Microsoft products becoming more vulnerable, or greater attention being paid to vulnerabilities (or a combination of both) is an open question. Microsoft has said its policy of supporting products for up to ten years means a lot of older pieces of software have to continue receiving patches.

In this year's final Patch Tuesday, Microsoft fixed a critical Internet Explorer problem as well as the final known bug exploited by the Stuxnet worm.

"The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November," Storms says. "With more and more people shopping online this time of year, it's important for everyone to patch their browsers."

Storms was referring to MS10-090, which resolves four vulnerabilities that could allow remote code executive when users view malicious pages with IE6, IE7 and IE8. "The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes," Microsoft said.

This was one of only two bulletins that were rated "critical" by Microsoft. The other was MS10-091, which patches bugs in the Windows Open Type Font driver. "An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.

Separately, Microsoft has fixed the fourth and final known vulnerability related to the Stuxnet worm with MS10-092, which affects Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

MS10-092 was rated important, rather than critical, as were most of the rest of the 17 patches. However, Qualys vulnerabilities lab manager Amol Sarwate says one of the "important" bulletins should have been rated critical by Microsoft.

This particular bulletin, MS10-105, describes a vulnerability targeting numerous versions of Microsoft Office, in which a graphics filter flaw can allow remote code execution.

"I personally think it's critical because you could get an Excel spreadsheet, or any Office document with one of these graphics filters, and it could allow an attacker to execute code on a computer," Sarwate says.

While the vulnerability affects Office 2007 and 2010, it only allows remote code execution on older versions.

Speaking of Office, Microsoft said Office File Validation will be made available for the 2003 and 2007 versions of the software starting in Q1 2011. The software is already available on Office 2010, and opens files in a safe mode when security threats are detected.

But that won't help IT managers who apply today's patches immediately.

As PC World notes, "The security bulletins cover the range of Microsoft software including all versions of Windows, as well as Internet Explorer, Microsoft Office, SharePoint, and Exchange. All 17 of the security bulletins are listed as either 'Requires restart' or 'May require restart', so IT admins should be prepared for the fact that systems will need to be rebooted to complete the patch process."

Follow Jon Brodkin on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey 2021: The results are in