Microsoft released its monthly patch Tuesday bulletins fixing more than 40 vulnerabilities in a variety of products including Microsoft Windows, Internet Explorer and Sharepoint Server. The release, the company’s final monthly patch of 2010, brings the total number of security fixes to 106 – the highest total ever for the company.
Microsoft said that two of the 17 vulnerabilities were rated critical – its highest severity rating. Another 14 were rated “Important.” An expert at Kaspersky Lab said that one of those holes, affecting Internet Explorer, is being actively exploited by malware in the wild. Among other things, Microsoft said that it has patched the last vulnerability exploited by the much-publicized Stuxnet worm: a privilege escalation hole in the Windows Task Scheduler.
Among the most important fixes were MS10-090 and MS10-092, both rated critical. The MS10-090 bulletin fixes a hole in Internet Explorer that could allow attackers to run remote code on systems using vulnerable versions of the software. The vulnerability affects Internet Explorer version 6, 7 and 8 running on most supported versions of Windows and Windows Server.
“We see exploit code attacking this vulnerability hosted by a very low number of sites,” said Kurt Baumgartner, a Senior Security Researcher at Kaspersky Lab Americas. “The exploit itself is reliable and spreading an autorun- and file-infecting Sality downloader,” he wrote. The Sality variant downloads malware, mangles the OS and disables SafeBoot, he said. “The infection can be a real chore to clean.”
Also on security experts’ radar is MS10-091, a critical flaw affecting most supported versions of Windows. The flaw impacts Windows OpenType Font (OTF) Driver and could allow network-based attacks in which malicious OpenType fonts are hosted on a network share. When users load the font, the vulnerability would allow them to take control of the affected system.
Baumgartner also called attention to MS10-102, which is rated “Important” but fixes what he calls a “nightmare scenario flaw” in Hyper-V that could allow code running with administrative privileges within a guest operating system to break out of the matrix and run at SYSTEM privilege on the host operating system. “The flawed code could have been a real problem for hosted service data centers,” he said.
Finally, Microsoft closed the door on the Stuxnet attacks with MS10-092, a vulnerability in the WIndows Task Scheduler that could be used to allow an attacker who had logged on to a vulnerable system with user privileges to elevate those privileges. That vulnerability, rated “Important” by Microsoft, was initially discovered and reported by researchers at Kaspersky Lab and affects versions of Windows Vista, Windows Server 2008 and 2008 R2, as well as Windows 7.