Microsoft patches 'insane' number of bugs
10 of the 23 vulnerabilities have already been exploited or are public
Computerworld - Microsoft today released eight security updates that patch 23 vulnerabilities in Windows, Internet Explorer, Excel and other software in the company's portfolio -- a collection of fixes one researcher called "insane."
More dangerous than the sheer number of patches, however, is the fact that nearly half fix flaws that are already being exploited or are publicly known in enough detail to craft working exploits. In some cases, sample attack code is available.
"What really caught our eye is the large number of exploits that are already available," said Wolfgang Kandek, chief technology officer at security company Qualys Inc. "Out of the 23, there are 10 exploits or [flaws] that have proof-of-concept. This is a huge deal and shows just how much the patch window is shrinking."
His colleague, Amol Sarwate, the manager of Qualys' vulnerability research lab, was more specific. "This is the biggest number of zero-days we've seen from Microsoft in a long, long time. Out of the 10, six are patches for which the vulnerability is actively being exploited, three of them have proof-of-concept available, and for one, the knowledge needed to exploit this is available."
Kandek and Sarwate recommended that users patch those 10 bugs first by applying the critical updates for Excel (MS09-009) and WordPad (MS09-010), and for Windows' "token kidnapping" issues (MS09-012). Microsoft pegged the last as "important," the second-highest ranking in its four-step threat-scoring system.
Other researchers didn't call out the number of already-exploited bugs Microsoft patched today but echoed Kandek and Sarwate on the month's theme.
"You could call this a spring cleaning," said Eric Schultze, CTO at Shavlik Technologies LLC. "Microsoft jumped on a couple of zero-days, including Excel from February and WordPad from last December. It's nice to see those taken care of."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts