Microsoft Fixes 40 Flaws With Record Patch Tuesday Release

Microsoft is cleaning out its backlog for the New Year with a record-setting December Patch Tuesday release, repairing a total of 40 security flaws with a 17 bulletins.

To date, the patch is the largest Microsoft has issued, repairing a slew of errors in Microsoft Windows, Internet Explorer, Office, SharePoint and Exchange.

"The running rumor was they had a backlog. As the end of the year was approaching, they decided to go heads down and clear them out," said Andrew Storms, director of security operations at nCircle.

Despite the exorbitant patch load, only two of the patches included in the bulletin repaired flaws given the highest severity ranking of critical, indicating that they could enable hackers to launch remote code execution attacks. Meanwhile, 14 were given a slightly lower priority with the ranking of "important,' and one was rated "moderate."

One of the "critical" updates plugged seven security holes -- five ranked critical, two moderate -- affecting all versions of IE, on both Windows clients and Windows servers, including a zero-day flaw in IE 6, 7 and 8 already used in active attacks.

Specifically, the zero-day vulnerability occurs due to an invalid flag reference issue related to Cascading Style Sheets token sequences, which researchers discovered in the wild in November.

In an attack scenario, hackers could launch malicious attacks remotely by creating a specially crafted Web page, and enticing victims to visit the site, usually through some social engineering scheme. Once opened, the page would automatically download malware onto users' computers, designed to steal data or completely shut down their system.

Microsoft downplayed the threat, maintaining that the number of exploits were minimal.

"Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low," said Microsoft's Mike Reavey, director of the Microsoft Security Response Center, in a blog post, adding that customers running Internet Explorer 8 were further protected from attacks due to the default Data Execution Prevention mechanisms embedded in the browser."

However, in light of the holiday season that facilitates online shopping, Storms underscored the necessity to apply the IE patch as soon as possible. "Any time you have an IE patch, it's always near the top of the list to get that fixed. Given the time of year with everyone online shopping, there are a lot of people going online. They could be susceptible to these kinds of bugs," he said.

Next: Microsoft Fixes Final Stuxnet Bug

In addition, Microsoft's second critical patch quashed three bugs in Windows' OpenType Font driver. Specifically, the flaw could enable hackers to launch malicious attacks by creating a malicious OpenType font on a network share. The affected control path would then be triggered when the user navigates to the share in Windows Explorer, enabling the malicious font to infiltrate and take complete control of a targeted system.

Among the barrage of updates was a fix, rated "important," for an elevation of privilege issue that resolved one of the remaining Stuxnet vulnerabilities, which occurred in Windows Task Scheduler. If exploited, the vulnerability could enable an attacker to gain elevated privileges by logging onto an affected system and running a malicious application.

However, a mitigating factor is that the attacker would already have to have valid login credentials and be able to log onto the system locally in order to effectively execute an attack. The vulnerability could not be exploited remotely or by anonymous users, Microsoft said.