Patch Tuesday: 17 bulletins, 40 vulnerabilities

[nsane.forums]

Microsoft is planning another massive Patch Tuesday this month: 17 bulletins with fixes for 40 security vulnerabilities. The December batch of patches will cover security holes in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange, according to an advance notice posted Thursday.

Of the 17, Microsoft said two bulletins will be rated "critical," the company's highest severity rating. Of the remainder, 14 will be rated "important."

All versions of the Windows operating system are affected, including the newest Windows 7 and Windows Server 2008 R2.

Microsoft said it will also patch the last of the vulnerabilities used in the infamous Stuxnet malware attack. The last outstanding Stuxnet bug is a elevation of privilege flaw in the Windows Task Scheduler. Exploit code for this vulnerability is public and works against systems running Windows Vista, Windows 7 and Windows Server 2008.

A separate vulnerability in the Internet Explorer browser will also be addressed this month (see advisory).

This month's updates will bring the total bulletins for this year to 106, the most ever.

The MSRC blog offers an explanation for this:

This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.

The bulletins will also address a number of remote code execution, elevation of privilege, and denial of service.

The patches will fix vulnerabilities in the following software:

• Windows XP SP3
• Windows Vista SP1 & SP2
• Windows 7
• Windows Server 2003 SP2
• Windows Server 2008 SP2
• Internet Explorer 6
• Internet Explorer 7
• Internet Explorer 8
• Microsoft Office XP SP3
• Microsoft Office 2003 SP3
• Microsoft Office 2007 SP2
• Microsoft Office 2010
• Microsoft Office SharePoint Server 2007 SP2
• Microsoft Exchange Server 2007 SP2

Some of these updates will require a restart. Affected software includes both 32-bit and 64-bit, where applicable.

View: Original Article