Microsoft on Tuesday warned customers that a record number of just-patched bugs will probably be exploited in the next 30 days.
Of the 35 vulnerabilities that Microsoft has patched this month , it assigned 32 an exploitability rating, a score that quantifies the company's take on whether reliable attack code will appear. Of the 32 bugs, a record 18 were pegged with a rating of "1," which in Microsoft's methodology means it anticipates reliable exploit code in the coming month.
Microsoft also assigned nine of Tuesday's 14 security updates the same "1" exploitability rating.
Engineers with the Microsoft Security Response Center (MSRC) published a table Tuesday that spelled out their take on exploit likelihood. According to the MSRC, exploit code for five of the eight security updates labeled "critical" and four of the six pegged as "important" will probably pop up in the next 30 days.
Microsoft also expects that exploit proof-of-concept code -- demonstration exploits that often need work before they're reliable enough to use in the wild -- will be released for the remaining pair of important updates.
According to Andrew Storms, director of security operations at nCircle Security, August's exploitability index count is a record, beating June 2010's 17 vulnerabilities with an index rating of "1."
Storms' data showed that February and March 2010 each boasted 12 bugs with an exploitability index of "1," while June 2009 featured 14.
Security researchers yesterday essentially agreed with Microsoft that the month ahead could be rocky for users who are slow to apply patches. Most contacted by Computerworld believe exploits will quickly appear for several of the vulnerabilities patched Tuesday, including a pair of media-related bugs, several in Office 2007, six in Internet Explorer, and another pair in Silverlight, Microsoft's answer to Adobe's Flash.
A bug in Windows Movie Maker, software that shipped with Windows XP and Vista -- but was dumped from Window 7 -- will also probably be exploited soon, Wolfgang Kandek, CTO of Qualys, said yesterday.
Microsoft rated all those vulnerabilities with a "1" on the exploitability index.
"It's likely that many of these vulnerabilities will be weaponzied in a framework such as Metasploit," said Josh Abraham, a security researcher with Rapid7, the company that also manages the open-source Metasploit hacking toolkit. Metasploit often publishes the first public exploits of Microsoft vulnerabilities.
But people shouldn't panic, Abraham added. "The down-side for attackers is that most of these vulnerabilities require user-interaction," he said in an e-mail today.
Patching before exploits go wild is crucial, however. Users are on a clock that starting ticking Tuesday, said Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies.
"And you don't want to lose this race," Miller said.