Microsoft has released its largest-ever bundle of patches, pushing out 16 updates that fix a total of 49 individual vulnerabilities. The patches include updates for six critical vulnerabilities, most notably a huge fix for some remote code-execution bugs in various versions of Internet Explorer.
The Internet Explorer update addresses a total of 10 vulnerabilities across several different versions of IE on operating systems from XP up through Windows 7. A pair of uninitialized memory corruption vulnerabilities in IE 6 up through IE 8 are deemed the mst dangerous by Microsoft, with both drawing the critical rating. Only one of them is rated critical on IE 8, however.
“Looking at the number and type of updates this month, we have a
fairly standard number of bulletins affecting products like Windows and
Office. This month we also have a few bulletins originating from product
groups that we don’t see on a regular basis. For example, SharePoint,
the Microsoft Foundation Class (MFC) Library (which is an application
framework for programming in Windows), and the .NET Framework. It’s
worth noting that only six of the 49 total vulnerabilities being
addressed have a critical rating. Further, three of the bulletins
account for 34 of the total vulnerabilities,” Microsoft said.
In addition to the IE bugs, there also is a critical flaw in the .Net Framework running on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. The bug enables a remote attacker to run arbitrary code on a vulnerable machine.
One of the other bugs that Microsoft patched is MS010-073, one of the vulnerabilities used in the Stuxnet attack.
“It’s great to see Microsoft
release MS010-073, patching multiple vulnerabilities in win32k.sys on multiple
operating systems. It’s interesting that it’s rated only ‘Important’, because
CVE-2010-2743 is being exploited in the wild. Our research team found and
reported the Win32k Keyboard Layout Vulnerability to Microsoft when we
discovered it exploited by Stuxnet early on in our research. It was one of the 0days used by Stuxnet to
execute shellcode at system level privileges by abusing the NtUserSendInput
function,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.
Information on all of the Microsoft updates can be found on the Microsoft Security Response Center TechNet blog.