Microsoft has confirmed that it will release 17 updates to address 40 vulnerabilities on its final Patch Tuesday of 2010.
Two of the bulletins are rated critical, 14 are rated important and one is rated moderate. Included are patches for Windows, Office, Internet Explorer, SharePoint and Exchange and all versions of the Windows operating system are affected. Full details are available here.
Microsoft also said it will patch the last of the vulnerabilities that Stuxnet can infiltrate through, an elevation of privilege flaw in the Windows Task Scheduler.
Mike Reavey, director of the Microsoft Security Response Centre (MSRC), said that it is closing the last Stuxnet-related issues this month despite not seeing any evidence of its use in active exploits aside from within the malware.
He also confirmed that the Internet Explorer flaw that was initially reported in early November is to be fixed. The original security advisory said that the vulnerability exists due to an invalid flag reference within Internet Explorer and it is possible for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Reavey said that over the past month, Microsoft and its Active Protections Program (MAPP) partners have actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts monitored remained relatively low.
Wolfgang Kandek, CTO of Qualys, commented that this was the largest Patch Tuesday ever with a total of 17 bulletins.
He said: “Out of the 17 advisories only two are rated critical, our recommendation will be to apply the Internet Explorer patch as soon as possible. The second advisory is critical only for Vista, Windows 7 and Windows 2008, users of XP and 2003 are only looking at a rating of ‘Important'. There are two advisories for Microsoft Office file format vulnerabilities that should be looked at closely and potentially prioritised by IT administrators.
“This month also closes the last open zero-day vulnerability from the Stuxnet worm. Microsoft is providing an update rated ‘Important' because it addresses a privilege escalation bug. The high number of advisories will present a challenge to all Windows system administrators, especially with the holidays shortening the available working hours.”
These 17 bulletins bring the total released for 2010 to 106. Reavey said that this was the most releases in many years, with an increase in vulnerability detection a contributing factor.
“This is not really surprising when you think about product lifecycles and the nature of vulnerability research. Microsoft supports products for up to ten years, one of our most popular operating systems from the turn of the century (XP SP2) reached its end-of-support life in mid-2010, in fact,” he said.
“Vulnerability research methodologies on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 per cent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.
“At the end of the day, Microsoft's primary focus is to release reliable, high-quality updates to our customers. Feedback from customers indicate that this is the most important factor in minimising disruption and allowing them to deploy our updates quickly, even more important than the overall number of security updates.”
Jason Miller, security and data team manager at Shavlik Technologies, said that this could be particularly challenging for administrators this month, not just because of the sheer number of bulletins but also because this is the time of the year that vacations are planned and spent over the holidays.
“Looking back through this year, the recurring theme has been a record breaking month, followed by another and another. Needless to say, a trend has been established. As each ‘light' month is typically followed by a ‘heavy' month, we should not be surprised next year that we are back on this topic (possibly as soon as February)," he said.
“In fact, this is the first time we will be seeing a bulletin number in the hundreds. If all 17 bulletins are released on Tuesday, we will see bulletins through to MS10-106. If it seems that you have spent a lot of time patching this year, you are correct; just compare this year's bulletin number with previous years: 74 in 2009 and 78 in 2008.”