Microsoft's holiday bonus: Fixes for 40 flaws
A Mozilla spokeswoman said essentially the same, while Microsoft confirmed that users running Firefox, Chrome, Safari and Opera will be safe against attacks if they've applied MS10-091.
IE is not vulnerable to the flaws since it doesn't support OpenType, although hackers could exploit the bugs by getting users to navigate to a malicious network or WebDAV folder, then preview its contents with Windows Explorer, the operating system's default file manager.
One other update, MS10-105, caught the eyes of both Sarwate and Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. The two researchers said that while Microsoft rated the patch as only important, they considered it in the same class as the IE and OpenType updates.
"That one is critical as well," argued Sarwate, "since all you need to someone sending you a malicious Office document and you are exploited. I wouldn't wait until after the holidays to patch that one."
MS10-105 patches seven vulnerabilities in Office XP and Office 2003 -- but not the newer Office 2007 and 2010 editions. The bugs are in several image parsers that ship with the older versions of Office, which were both patched and revamped so that they now use the more secure GDI+ (Graphics Device Interface) rendering component called by Office 2007 and 2010.
Five other updates, MS10-093 through MS10-097, patched several Windows components that were plagued by "DLL load hijacking," also called "binary planting," flaws that researchers first disclosed last August. Microsoft had shipped only one update for DLL load hijacking before today, in November's collection of patches.
"This fixes all of the [Windows] components that we're aware of in this issue," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview just prior to today's release. "But we're not closing that advisory just yet, and will continue to investigate."
Miller, for one, was skeptical that today was the end of Microsoft's DLL load hijacking problems, but was confident next month's Patch Tuesday would be light.
"I wouldn't be surprised if Microsoft patches more products [for DLL load hijacking]," Miller said. "Microsoft has a lot of stuff to go through. But I'm not expecting a big January."
The number of updates released Tuesday was a single-month record for Microsoft, while the vulnerability count of 40 was the second-highest ever, exceeded only by the 49 from October.
Of the 40 individual patches, nine were tagged critical, 29 as important, and two as moderate.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Windows White Papers | Webcasts