Microsoft today issued 17 software updates to plug a total of 40 security holes in computers running its Windows operating system and other software. December’s bounty of patches means Microsoft fixed a record number of security vulnerabilities this year.
According to Microsoft, the most urgent of the patches is a critical update that fixes at least seven vulnerabilities in Internet Explorer versions 6, 7 and 8, including three that were publicly disclosed prior to today’s update. Microsoft said that at least one of the public flaws is already being actively exploited.
Microsoft also called special attention to the only other critical bulletin in the batch – a vulnerability in the OpenType Font Driver in Windows. Redmond warns that an attacker could compromise a machine on a network simply by getting a user to open a shared folder containing a malicious OpenType font file.
According to McAfee, Microsoft has rounded out the year with 106 security bulletins, the highest number in history, and a significant jump over the 74 security bulletins released in 2009. This year also brings a record number of vulnerabilities patched, at 266, McAfee noted.
Obviously, merely counting the number of flaws a vendor fixes doesn’t tell you much about how safe it is to use that vendor’s products, but it’s the foundation for a more careful analysis. It may take some time to dig through the data, but it will be interesting to see whether Microsoft has gotten any nimbler in responding to zero-days (the IE zero-day mentioned above was first detailed on Nov. 3).
Microsoft also patched the last of the zero-day vulnerabilities exploited by the infamous Stuxnet computer worm. This flaw exists in the Windows Task Scheduler, and allows a regular user to schedule a task that will run with elevated (administrator) privileges – effectively giving an attacker full access to the system. Researchers at Symantec warned today that at least two new threats are now exploiting this flaw.