Microsoft is planning another massive Patch Tuesday this month: 17 bulletins with fixes for 40 security vulnerabilities.
The December batch of patches will cover security holes in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange, according to an advance notice posted Thursday.
Of the 17, Microsoft said two bulletins will be rated “critical,” the company’s highest severity rating. Of the remainder, 14 will be rated “important.”
All versions of the Windows operating system are affected, including the newest Windows 7 and Windows Server 2008 R2.
Microsoft said it will also patch the last of the vulnerabilities used in the infamous Stuxnet malware attack.
The last outstanding Stuxnet bug is a elevation of privilege flaw in the Windows Task Scheduler. Exploit code for this vulnerability is public and works against systems running Windows Vista, Windows 7 and Windows Server 2008.
A separate vulnerability in the Internet Explorer browser will also be addressed this month (see advisory).
This month’s updates will bring the total bulletins for this year to 106, the most ever.
The MSRC blog offers an explanation for this:
This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn’t really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we’re able to release a comprehensive security update before the issue is broadly known.
