Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:24 PM
Connect Directly

Microsoft Unleashes Massive Security Patch

It's another record-breaking month for fixing software flaws.

Microsoft on Tuesday released 16 security bulletins addressing 49 vulnerabilities in Microsoft Office, Windows, Internet Explorer and the .NET Framework.

Four of the bulletins are rated "critical," 10 are rated "important," and two are rated "moderate."

Microsoft is advising customers to focus on the four critical bulletins first. These are: MS10-071, which addresses 10 Internet Explorer vulnerabilities; MS10-076, which addresses an Open Type Font Engine flaw in Windows; MS10-077, which fixes a .NET Framework vulnerability; and MS10-075, which resolves a flaw in Windows Media Player.

The release sets a new record for the company, only two months after a record-setting month in August. Microsoft's August patch -- 14 bulletins addressing 34 vulnerabilities -- broke a record set October, 2009.

Microsoft, however, is not alone in releasing large patches this month: Oracle's quarterly security update includes fixes for 85 vulnerabilities.

Wolfgang Kandek, CTO of Qualys, notes in a blog post that MS10-071, addressing Internet Explorer flaws, is the most important patch.

"It is a critical update for Internet Explorer 6, 7 and 8 and has a exploitability index of 1 indicating that Microsoft believes the [vulnerabilities are] relatively easy to exploit," he said. "MS10-076 comes in as a close second in our ranking. It is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious Web page without interaction form the user, making it a good candidate for a 'drive-by' infection campaign."

Joshua Talbot, security intelligence manager at Symantec Security Response, observed in an e-mailed statement that 35 of the 49 vulnerabilities could allow remote code execution and that one of the two remaining zero-day vulnerabilities used by the Stuxnet worm has been fixed. MS10-073 fixes a flaw that allowed Stuxnet to bypass permission controls.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...