Microsoft patches record 40 vulnerabilities

Today Microsoft released 17 security bulletins which address 40 vulnerabilities affecting Microsoft Office, Windows, Internet Explorer, SharePoint Server and Exchange.

This brings the total count for 2010 to 106 bulletins. Of note, only two of the bulletins are rated Critical, 14 are rated Important and one is Moderate.

In addition to the bulletins released today, Microsoft is announcing plans to extend the Office File Validation feature currently available in Office 2010, to Office 2007 and 2003. This will help protect those using older versions of Microsoft Office from file parsing vulnerabilities.

In particular, Microsoft recommends that systems administrators prioritize the following Critical bulletins:

  • MS10-090 addressing vulnerabilities in Internet Explorer.
  • MS10-091 addressing vulnerabilities in Windows.

Qualys CTO Wolfgang Kandek points out the following interesting vulnerabilities:

  • MS10-092 is the last fix for the Stuxnet family of vulnerabilities; others were MS10-046, MS10-061 and MS10-073. MS10-092 addresses a flaw in the Task Scheduler that can be used by a local user to gain system privileges and applies only to Windows Vista, Windows 7 and Windows 2008.
  • MS10-102 is an attack on Microsoft Hyper-V and while it is “only” a denial of service attack, it illustrates a coming class of vulnerabilities where a user on a guest operating system can shutdown the host operating system on a virtual machine and multiply the impact on the attacked infrastructure.

To learn more about patching challenges and techniques read our interview with Wolfgang Kandek who offers his extensive knowledge on the subject.

Don't miss