Users of Windows XP, Windows Vista and Windows 7, as well as Internet Explorer, Office, SharePoint and Exchange, are being urged to update their software today after Microsoft patched 40 vulnerabilities. Nine of the flaws were described as "critical".
Record Patch Tuesday update fixes 40 flaws
Five of the 17 security updates - Microsoft calls them "bulletins" - fixed long-standing flaws that could be used by attackers to plant malware on a PC by tricking Windows into thinking a malicious DLL (dynamic link library) was actually a legitimate part of the OS.
Only two of the 17 updates were judged critical, Microsoft's top-most threat ranking in its four-step scoring system. Another 14 were marked "important," the second-highest rating, while the remaining update was labeled "moderate."
Microsoft put the spotlight on the two critical bulletins, as did several security experts.
"Both MS10-090 and MS10-091 are pretty critical, I think," said Andrew Storms, director of security operations for nCircle Security. "Microsoft's evaluation seems in line with what I would expect, and shows that they're giving a pretty fair and balanced representation of priorities."
Amol Sarwate, manager of Qualys' vulnerabilities research labs, agreed with Storms, putting those updates at the top of his list, too.
MS10-090 patches seven vulnerabilities in IE, six of them critical and one marked moderate. All supported versions, including 2009's IE8, are affected by one or more of the bugs. Microsoft Internet Explorer 9, which is still in beta testing, does not harbour any of the seven vulnerabilities, Microsoft said in its advisory.
Among the patched IE bugs were three that had been publicly disclosed before today, and one that hackers have been exploiting for at least the past six weeks.
Microsoft confirmed the latter on November 3 in a security advisory, but was unable to craft and test a patch in time to make it into that month's security update.
MS10-091, which in Microsoft's eyes is a Windows update, also affected browsers - but not IE directly.
Instead, attackers could exploit the three vulnerabilities in the update - all rated critical - through non-Microsoft browsers that support the open-source OpenType font format by simply tricking users into visiting a malicious site.
Microsoft did not list the affected browsers, but the other four of the top five - Firefox, Chrome, Safari and Opera - all support OpenType fonts.
It's unclear today whether those browsers need to be patched separately, and if so whether they have been patched. For its part, Microsoft said it had reached out to the other browser makers to let them know about the OpenType bugs it was addressing.
Opera Software, whose security team co-reported one of the three OpenType vulnerabilities to Microsoft, said that other browsers did not need repair.
"The patch for Opera is the referenced Microsoft [MS10-091] patch, as it is not possible for the [browser] to protect itself against the problem, except by disabling webfonts, since the problem is in the OS's handling of fonts," said Thomas Ford, an Opera spokesman.
A Mozilla spokeswoman said essentially the same, while Microsoft confirmed that users running Firefox, Chrome, Safari and Opera will be safe against attacks if they've applied MS10-091.
IE is not vulnerable to the flaws since it doesn't support OpenType, although hackers could exploit the bugs by getting users to navigate to a malicious network or WebDAV folder, then preview its contents with Windows Explorer, the operating system's default file manager.
One other update, MS10-105, caught the eyes of both Sarwate and Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. The two researchers said that while Microsoft rated the patch as only important, they considered it in the same class as the IE and OpenType updates.
"That one is critical as well," argued Sarwate, "since all you need to someone sending you a malicious Office document and you are exploited. I wouldn't wait until after the holidays to patch that one."
MS10-105 patches seven vulnerabilities in Office XP and Office 2003 - but not the newer Office 2007 and 2010 editions. The bugs are in several image parsers that ship with the older versions of Office, which were both patched and revamped so that they now use the more secure GDI+ (Graphics Device Interface) rendering component called by Office 2007 and 2010.
Microsoft also patched the last of four Windows vulnerabilities that were used by the notorious Stuxnet worm to infiltrate industrial control systems in MS10-092 .
Five other updates, MS10-093 through MS10-097, patched several Windows components that were plagued by "DLL load hijacking," also called "binary planting," flaws that researchers first disclosed last August . Microsoft had shipped only one update for DLL load hijacking before today, in November's collection of patches.
"This fixes all of the [Windows] components that we're aware of in this issue," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview just prior to today's release. "But we're not closing that advisory just yet, and will continue to investigate."
Miller, for one, was skeptical that today was the end of Microsoft's DLL load hijacking problems, but was confident next month's Patch Tuesday would be light.
"I wouldn't be surprised if Microsoft patches more products [for DLL load hijacking]," Miller said. "Microsoft has a lot of stuff to go through. But I'm not expecting a big January."
The number of updates released Tuesday was a single-month record for Microsoft , while the vulnerability count of 40 was the second-highest ever, exceeded only by the 49 from October.
Of the 40 individual patches, nine were tagged critical, 29 as important, and two as moderate.
Bryant said that part of the reason for the large number of updates is that Microsoft has nearly cleared its backlog of reported vulnerabilities. "We've worked through most of the critical issues that we have right now," he said.
Acknowledging that IT staffs are short-handed this time of year - what with holidays and vacation time - Microsoft urged customers to focus on the two critical updates.
"We encourage customers to install all the updates as soon as possible," said Bryant, pointing to MS10-090 and MS10-091 as the two to fix first. "They can then look at the [others] and prioritize them [for deployment], perhaps after the holidays."
Security researchers echoed Bryant's recommendation.
"The good news today is that the bugs that are going to be exploited are on the client side, especially IE and other browsers," said Storms. "Given that there are no critical vulnerabilities on servers, it's not likely that they're going to be exploited so it's not a huge risk to focus the resources on the end users. Administrators who do that should fare pretty well over the holidays."
Experts also commented on 2010's record number of security bulletins from Microsoft, which released 106 bulletins and patched 266 separate vulnerabilities this year. "I have a hard time saying 'one hundred and six,'" said Miller, referring to the year's update tally. "It seems every month this year we've said this is big, huge. We sound like a broken record. But this is what we asked for."
Those same researchers said that, contrary to first glance, the 106 updates are a good thing, not bad. "I think it's a good sign," said Miller. "They're finding bugs, they're fixing bugs, and making everyone safer."
Today's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.