Microsoft Unleashes Massive Security Patch

It's another record-breaking month for fixing software flaws.
Microsoft on Tuesday released 16 security bulletins addressing 49 vulnerabilities in Microsoft Office, Windows, Internet Explorer and the .NET Framework.

Four of the bulletins are rated "critical," 10 are rated "important," and two are rated "moderate."

Microsoft is advising customers to focus on the four critical bulletins first. These are: MS10-071, which addresses 10 Internet Explorer vulnerabilities; MS10-076, which addresses an Open Type Font Engine flaw in Windows; MS10-077, which fixes a .NET Framework vulnerability; and MS10-075, which resolves a flaw in Windows Media Player.

The release sets a new record for the company, only two months after a record-setting month in August. Microsoft's August patch -- 14 bulletins addressing 34 vulnerabilities -- broke a record set October, 2009.

Microsoft, however, is not alone in releasing large patches this month: Oracle's quarterly security update includes fixes for 85 vulnerabilities.

Wolfgang Kandek, CTO of Qualys, notes in a blog post that MS10-071, addressing Internet Explorer flaws, is the most important patch.

"It is a critical update for Internet Explorer 6, 7 and 8 and has a exploitability index of 1 indicating that Microsoft believes the [vulnerabilities are] relatively easy to exploit," he said. "MS10-076 comes in as a close second in our ranking. It is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious Web page without interaction form the user, making it a good candidate for a 'drive-by' infection campaign."

Joshua Talbot, security intelligence manager at Symantec Security Response, observed in an e-mailed statement that 35 of the 49 vulnerabilities could allow remote code execution and that one of the two remaining zero-day vulnerabilities used by the Stuxnet worm has been fixed. MS10-073 fixes a flaw that allowed Stuxnet to bypass permission controls.