Microsoft's holiday bonus: Fixes for 40 flaws

Ships record number of updates, patches critical IE bugs, flaws exploitable through rivals' browsers

Microsoft today patched 40 vulnerabilities in Windows, Internet Explorer (IE), Office, SharePoint and Exchange, including nine pegged "critical."

Five of the 17 security updates -- Microsoft calls them "bulletins" -- fixed long-standing flaws that could be used by attackers to plant malware on a PC by tricking Windows into thinking a malicious DLL (dynamic link library) was actually a legitimate part of the OS.

Only two of the 17 updates were judged critical, Microsoft's top-most threat ranking in its four-step scoring system. Another 14 were marked "important," the second-highest rating, while the remaining update was labeled "moderate."

Microsoft put the spotlight on the two critical bulletins, as did several security experts.

"Both MS10-090 and MS10-091 are pretty critical, I think," said Andrew Storms, director of security operations for nCircle Security. "Microsoft's evaluation seems in line with what I would expect, and shows that they're giving a pretty fair and balanced representation of priorities."

Amol Sarwate, manager of Qualys' vulnerabilities research labs, agreed with Storms, putting those updates at the top of his list, too.

MS10-090 patches seven vulnerabilities in IE, six of them critical and one marked moderate. All supported versions, including 2009's IE8, are affected by one or more of the bugs. IE9, which is still in beta testing, does not harbor any of the seven vulnerabilities, Microsoft said in its advisory.

Among the patched IE bugs were three that had been publicly disclosed before today, and one that hackers have been exploiting for at least the last six weeks .

Microsoft confirmed the latter on Nov. 3 in a security advisory, but was unable to craft and test a patch in time to make it into that month's security update.

MS10-091 , which in Microsoft's eyes is a Windows update, also affected browsers -- but not IE directly.

Instead, attackers could exploit the three vulnerabilities in the update -- all rated critical -- through non-Microsoft browsers that support the open-source OpenType font format by simply tricking users into visiting a malicious site.

Microsoft did not list the affected browsers, but the other four of the top five -- Firefox, Chrome, Safari and Opera -- all support OpenType fonts.

It's unclear today whether those browsers need to be patched separately, and if so whether they have been patched. For its part, Microsoft said it had reached out to the other browser makers to let them know about the OpenType bugs it was addressing.

Opera Software, whose security team co-reported one of the three OpenType vulnerabilities to Microsoft, said that other browsers did not need repair.

"The patch for Opera is the referenced Microsoft [MS10-091] patch, as it is not possible for the [browser] to protect itself against the problem, except by disabling webfonts, since the problem is in the OS's handling of fonts," said Thomas Ford, an Opera spokesman.

A Mozilla spokeswoman said essentially the same, while Microsoft confirmed that users running Firefox, Chrome, Safari and Opera will be safe against attacks if they've applied MS10-091.

IE is not vulnerable to the flaws since it doesn't support OpenType, although hackers could exploit the bugs by getting users to navigate to a malicious network or WebDAV folder, then preview its contents with Windows Explorer, the operating system's default file manager.

One other update, MS10-105, caught the eyes of both Sarwate and Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. The two researchers said that while Microsoft rated the patch as only important, they considered it in the same class as the IE and OpenType updates.

"That one is critical as well," argued Sarwate, "since all you need to someone sending you a malicious Office document and you are exploited. I wouldn't wait until after the holidays to patch that one."

MS10-105 patches seven vulnerabilities in Office XP and Office 2003 -- but not the newer Office 2007 and 2010 editions. The bugs are in several image parsers that ship with the older versions of Office, which were both patched and revamped so that they now use the more secure GDI+ (Graphics Device Interface) rendering component called by Office 2007 and 2010.

Microsoft also patched the last of four Windows vulnerabilities that were used by the notorious Stuxnet worm to infiltrate industrial control systems in MS10-092 .

Five other updates, MS10-093 through MS10-097, patched several Windows components that were plagued by "DLL load hijacking," also called "binary planting," flaws that researchers first disclosed last August . Microsoft had shipped only one update for DLL load hijacking before today, in November's collection of patches.

"This fixes all of the [Windows] components that we're aware of in this issue," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview just prior to today's release. "But we're not closing that advisory just yet, and will continue to investigate."

Miller, for one, was skeptical that today was the end of Microsoft's DLL load hijacking problems, but was confident next month's Patch Tuesday would be light.

"I wouldn't be surprised if Microsoft patches more products [for DLL load hijacking]," Miller said. "Microsoft has a lot of stuff to go through. But I'm not expecting a big January."

The number of updates released Tuesday was a single-month record for Microsoft , while the vulnerability count of 40 was the second-highest ever, exceeded only by the 49 from October.

Of the 40 individual patches, nine were tagged critical, 29 as important, and two as moderate.

Bryant said that part of the reason for the large number of updates is that Microsoft has nearly cleared its backlog of reported vulnerabilities. "We've worked through most of the critical issues that we have right now," he said.

Acknowledging that IT staffs are short-handed this time of year -- what with holidays and vacation time -- Microsoft urged customers to focus on the two critical updates.

"We encourage customers to install all the updates as soon as possible," said Bryant, pointing to MS10-090 and MS10-091 as the two to fix first. "They can then look at the [others] and prioritize them [for deployment], perhaps after the holidays."

Security researchers echoed Bryant's recommendation.

"The good news today is that the bugs that are going to be exploited are on the client side, especially IE and other browsers," said Storms. "Given that there are no critical vulnerabilities on servers, it's not likely that they're going to be exploited so it's not a huge risk to focus the resources on the end users. Administrators who do that should fare pretty well over the holidays."

Experts also commented on 2010's record number of security bulletins from Microsoft, which released 106 bulletins and patched 266 separate vulnerabilities this year. "I have a hard time saying 'one hundred and six,'" said Miller, referring to the year's update tally. "It seems every month this year we've said this is big, huge. We sound like a broken record. But this is what we asked for."

Those same researchers said that, contrary to first glance, the 106 updates are a good thing, not bad. "I think it's a good sign," said Miller. "They're finding bugs, they're fixing bugs, and making everyone safer."

Today's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the PC World newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?