Microsoft To End Year With Massive Security Update

Microsoft is looking to ship a huge quantity of bug fixes in this month’s Patch Tuesday update, that will plug 40 security vulnerabilities across a number of products.

The bugs will be squashed by a total of 17 security bulletins, two of which are rated “critical.”

One of the two critical bulletins affects Internet Explorer (IE) versions 6, 7 and 8, while the other bulletin impacts Windows XP, Vista and Windows 7, as well as Windows Server 2003 and 2008.

Critical IE Bug

Microsoft first warned about the critical IE bug last month. According to the company, the vulnerability exists due to an invalid flag reference in the browser that can be accessed after an object is deleted. The bug has been under attack, prompting Microsoft to release an advisory with a handful of workarounds.

Of the remaining bulletins, 14 are rated “moderate,” and the final bulletin is rated “Important.” Included in the mix this month is a patch for a local privilege escalation vulnerability used by the notorious Stuxnet worm, closing the last zero-day used by the malware.

Twice this year, Microsoft has broken its record for the most security patches ever. In October, Microsoft set a new benchmark with the release of 16 security bulletins to cover 49 vulnerabilities across Windows, Internet Explorer, Microsoft Office and the .NET Framework.

Record Number

“Looking back over 2010, that brings the total bulletin count to 106, which is more bulletins than we have released in previous years,” blogged Mike Reavey, director of the Microsoft Security Response Center. “This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report.”

The high number of advisories will present a challenge to all Windows system administrators, especially with the holidays shortening the available working hours, said Wolfgang Kandek, CTO of Qualys.

“There are two advisories for Microsoft Office file format vulnerabilities that should be looked at closely and potentially prioritised by IT administrators,” he said.

The update is slated for release 14 December.