October 12, 2010

Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

Microsoft said at least eight of the vulnerabilities were publicly disclosed prior to the release of today’s patches. The software giant also fixed one of the two remaining zero-day flaws exploited by the Stuxnet worm, a complex family of malware pegged by researchers as a weapon built to attack industrial control systems embedded in facilities like power and chemical manufacturing plants.

At the top of the critical list is an update for Internet Explorer versions 6 through 8 that plugs at least 10 security holes in the default Web browser on Windows, including two flaws that were disclosed previously. Several of the IE flaws are marked critical even on the latest versions of Microsoft’s products, including IE8 running on Windows 7 systems.

Two updates for versions of Microsoft Word and Excel comprise about half of the vulnerabilities addressed in today’s release.

Today’s fixes are available through Windows Update or by enabling Automatic Update in Windows. As always, if you experience any glitches or problems applying these patches, please drop a note in the comments section.

For more information on the patches, check out SANS Internet Storm Center‘s Black Tuesday roundup, as well as Microsoft’s Security Research & Defense blog.

Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.

2 thoughts on “Microsoft Plugs a Record 49 Security Holes

  1. xAdmin

    Updated 3 Windows XP (w/ SP3) systems (2 with Office) without problem. 🙂

    While not a security update, there was also an update for Silverlight back on Sept. 28 (Netflix requires it to stream movies! :P). Wasn’t aware of the update until using Microsoft Update. According to the Knowledge base article (see below), “the update fixes an incompatibility issue between Microsoft Silverlight 4 (4.0.50826.0) and earlier versions of the Bing Toolbar.” Nice, two of their own products don’t play nice together! Loathe those toolbars anyway.


    One final note, it’s about time they added detection for Zeus to the Malicious Software Removal Tool? What took so long?

  2. Dude

    These updates borked the .NET Framework 4.0 on my Vista Home Premium 64bit. I got the “not genuine” b.s. shortly after and a pop up box that told me I would have to completely reinstall the OS to fix it.
    Luckily I had Windows 7 Ultimate 64 bit laying around so I upgraded. But still. What a pain.

Comments are closed.