Skip the navigation

Microsoft's holiday bonus: Fixes for 40 flaws

December 14, 2010 04:12 PM ET

A Mozilla spokeswoman said essentially the same, while Microsoft confirmed that users running Firefox, Chrome, Safari and Opera will be safe against attacks if they've applied MS10-091.

IE is not vulnerable to the flaws since it doesn't support OpenType, although hackers could exploit the bugs by getting users to navigate to a malicious network or WebDAV folder, then preview its contents with Windows Explorer, the operating system's default file manager.

One other update, MS10-105, caught the eyes of both Sarwate and Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. The two researchers said that while Microsoft rated the patch as only important, they considered it in the same class as the IE and OpenType updates.

"That one is critical as well," argued Sarwate, "since all you need to someone sending you a malicious Office document and you are exploited. I wouldn't wait until after the holidays to patch that one."

MS10-105 patches seven vulnerabilities in Office XP and Office 2003 -- but not the newer Office 2007 and 2010 editions. The bugs are in several image parsers that ship with the older versions of Office, which were both patched and revamped so that they now use the more secure GDI+ (Graphics Device Interface) rendering component called by Office 2007 and 2010.

Microsoft also patched the last of four Windows vulnerabilities that were used by the notorious Stuxnet worm to infiltrate industrial control systems in MS10-092.

Five other updates, MS10-093 through MS10-097, patched several Windows components that were plagued by "DLL load hijacking," also called "binary planting," flaws that researchers first disclosed last August. Microsoft had shipped only one update for DLL load hijacking before today, in November's collection of patches.

"This fixes all of the [Windows] components that we're aware of in this issue," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview just prior to today's release. "But we're not closing that advisory just yet, and will continue to investigate."

Miller, for one, was skeptical that today was the end of Microsoft's DLL load hijacking problems, but was confident next month's Patch Tuesday would be light.

"I wouldn't be surprised if Microsoft patches more products [for DLL load hijacking]," Miller said. "Microsoft has a lot of stuff to go through. But I'm not expecting a big January."

The number of updates released Tuesday was a single-month record for Microsoft, while the vulnerability count of 40 was the second-highest ever, exceeded only by the 49 from October.

Of the 40 individual patches, nine were tagged critical, 29 as important, and two as moderate.



Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!