Microsoft's holiday bonus: Fixes for 40 flaws
A Mozilla spokeswoman said essentially the same, while Microsoft confirmed that users running Firefox, Chrome, Safari and Opera will be safe against attacks if they've applied MS10-091.
IE is not vulnerable to the flaws since it doesn't support OpenType, although hackers could exploit the bugs by getting users to navigate to a malicious network or WebDAV folder, then preview its contents with Windows Explorer, the operating system's default file manager.
One other update, MS10-105, caught the eyes of both Sarwate and Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. The two researchers said that while Microsoft rated the patch as only important, they considered it in the same class as the IE and OpenType updates.
"That one is critical as well," argued Sarwate, "since all you need to someone sending you a malicious Office document and you are exploited. I wouldn't wait until after the holidays to patch that one."
MS10-105 patches seven vulnerabilities in Office XP and Office 2003 -- but not the newer Office 2007 and 2010 editions. The bugs are in several image parsers that ship with the older versions of Office, which were both patched and revamped so that they now use the more secure GDI+ (Graphics Device Interface) rendering component called by Office 2007 and 2010.
Five other updates, MS10-093 through MS10-097, patched several Windows components that were plagued by "DLL load hijacking," also called "binary planting," flaws that researchers first disclosed last August. Microsoft had shipped only one update for DLL load hijacking before today, in November's collection of patches.
"This fixes all of the [Windows] components that we're aware of in this issue," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview just prior to today's release. "But we're not closing that advisory just yet, and will continue to investigate."
Miller, for one, was skeptical that today was the end of Microsoft's DLL load hijacking problems, but was confident next month's Patch Tuesday would be light.
"I wouldn't be surprised if Microsoft patches more products [for DLL load hijacking]," Miller said. "Microsoft has a lot of stuff to go through. But I'm not expecting a big January."
The number of updates released Tuesday was a single-month record for Microsoft, while the vulnerability count of 40 was the second-highest ever, exceeded only by the 49 from October.
Of the 40 individual patches, nine were tagged critical, 29 as important, and two as moderate.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Windows White Papers | Webcasts