Computerworld - Microsoft today released eight security updates that patch 23 vulnerabilities in Windows, Internet Explorer, Excel and other software in the company's portfolio -- a collection of fixes one researcher called "insane."
More dangerous than the sheer number of patches, however, is the fact that nearly half fix flaws that are already being exploited or are publicly known in enough detail to craft working exploits. In some cases, sample attack code is available.
"What really caught our eye is the large number of exploits that are already available," said Wolfgang Kandek, chief technology officer at security company Qualys Inc. "Out of the 23, there are 10 exploits or [flaws] that have proof-of-concept. This is a huge deal and shows just how much the patch window is shrinking."
His colleague, Amol Sarwate, the manager of Qualys' vulnerability research lab, was more specific. "This is the biggest number of zero-days we've seen from Microsoft in a long, long time. Out of the 10, six are patches for which the vulnerability is actively being exploited, three of them have proof-of-concept available, and for one, the knowledge needed to exploit this is available."
Kandek and Sarwate recommended that users patch those 10 bugs first by applying the critical updates for Excel (MS09-009) and WordPad (MS09-010), and for Windows' "token kidnapping" issues (MS09-012). Microsoft pegged the last as "important," the second-highest ranking in its four-step threat-scoring system.
Other researchers didn't call out the number of already-exploited bugs Microsoft patched today but echoed Kandek and Sarwate on the month's theme.
"You could call this a spring cleaning," said Eric Schultze, CTO at Shavlik Technologies LLC. "Microsoft jumped on a couple of zero-days, including Excel from February and WordPad from last December. It's nice to see those taken care of."
Microsoft had previously issued security advisories for Excel and WordPad, and acknowledged that in the case of the former, it had already detected attacks in at least limited numbers.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
