Microsoft patches 'insane' number of bugs
10 of the 23 vulnerabilities have already been exploited or are public
Computerworld - Microsoft today released eight security updates that patch 23 vulnerabilities in Windows, Internet Explorer, Excel and other software in the company's portfolio -- a collection of fixes one researcher called "insane."
More dangerous than the sheer number of patches, however, is the fact that nearly half fix flaws that are already being exploited or are publicly known in enough detail to craft working exploits. In some cases, sample attack code is available.
"What really caught our eye is the large number of exploits that are already available," said Wolfgang Kandek, chief technology officer at security company Qualys Inc. "Out of the 23, there are 10 exploits or [flaws] that have proof-of-concept. This is a huge deal and shows just how much the patch window is shrinking."
His colleague, Amol Sarwate, the manager of Qualys' vulnerability research lab, was more specific. "This is the biggest number of zero-days we've seen from Microsoft in a long, long time. Out of the 10, six are patches for which the vulnerability is actively being exploited, three of them have proof-of-concept available, and for one, the knowledge needed to exploit this is available."
Kandek and Sarwate recommended that users patch those 10 bugs first by applying the critical updates for Excel (MS09-009) and WordPad (MS09-010), and for Windows' "token kidnapping" issues (MS09-012). Microsoft pegged the last as "important," the second-highest ranking in its four-step threat-scoring system.
Other researchers didn't call out the number of already-exploited bugs Microsoft patched today but echoed Kandek and Sarwate on the month's theme.
"You could call this a spring cleaning," said Eric Schultze, CTO at Shavlik Technologies LLC. "Microsoft jumped on a couple of zero-days, including Excel from February and WordPad from last December. It's nice to see those taken care of."
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!