It's another record-breaking month for fixing software flaws.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 12, 2010

2 Min Read

Microsoft on Tuesday released 16 security bulletins addressing 49 vulnerabilities in Microsoft Office, Windows, Internet Explorer and the .NET Framework.

Four of the bulletins are rated "critical," 10 are rated "important," and two are rated "moderate."

Microsoft is advising customers to focus on the four critical bulletins first. These are: MS10-071, which addresses 10 Internet Explorer vulnerabilities; MS10-076, which addresses an Open Type Font Engine flaw in Windows; MS10-077, which fixes a .NET Framework vulnerability; and MS10-075, which resolves a flaw in Windows Media Player.

The release sets a new record for the company, only two months after a record-setting month in August. Microsoft's August patch -- 14 bulletins addressing 34 vulnerabilities -- broke a record set October, 2009.

Microsoft, however, is not alone in releasing large patches this month: Oracle's quarterly security update includes fixes for 85 vulnerabilities.

Wolfgang Kandek, CTO of Qualys, notes in a blog post that MS10-071, addressing Internet Explorer flaws, is the most important patch.

"It is a critical update for Internet Explorer 6, 7 and 8 and has a exploitability index of 1 indicating that Microsoft believes the [vulnerabilities are] relatively easy to exploit," he said. "MS10-076 comes in as a close second in our ranking. It is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious Web page without interaction form the user, making it a good candidate for a 'drive-by' infection campaign."

Joshua Talbot, security intelligence manager at Symantec Security Response, observed in an e-mailed statement that 35 of the 49 vulnerabilities could allow remote code execution and that one of the two remaining zero-day vulnerabilities used by the Stuxnet worm has been fixed. MS10-073 fixes a flaw that allowed Stuxnet to bypass permission controls.

Read more about:


About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights