December 14, 2010

Microsoft today issued 17 software updates to plug a total of 40 security holes in computers running its Windows operating system and other software. December’s bounty of patches means Microsoft fixed a record number of security vulnerabilities this year.

According to Microsoft, the most urgent of the patches is a critical update that fixes at least seven vulnerabilities in Internet Explorer versions 6, 7 and 8, including three that were publicly disclosed prior to today’s update. Microsoft said that at least one of the public flaws is already being actively exploited.

Microsoft also called special attention to the only other critical bulletin in the batch – a vulnerability in the OpenType Font Driver in Windows.  Redmond warns that an attacker could compromise a machine on a network simply by getting a user to open a shared folder containing a malicious OpenType font file.

According to McAfee, Microsoft has rounded out the year with 106 security bulletins, the highest number in history, and a significant jump over the 74 security bulletins released in 2009. This year also brings a record number of vulnerabilities patched, at 266, McAfee noted.

Obviously, merely counting the number of flaws a vendor fixes doesn’t tell you much about how safe it is to use that vendor’s products, but it’s the foundation for a more careful analysis. It may take some time to dig through the data, but it will be interesting to see whether Microsoft has gotten any nimbler in responding to zero-days (the IE zero-day mentioned above was first detailed on Nov. 3).

Microsoft also patched the last of the zero-day vulnerabilities exploited by the infamous Stuxnet computer worm. This flaw exists in the Windows Task Scheduler, and allows a regular user to schedule a task that will run with elevated (administrator) privileges – effectively giving an attacker full access to the system. Researchers at Symantec warned today that at least two new threats are now exploiting this flaw.

Patches are available through Microsoft Update (using IE) or Automatic Update. As always, please drop a note in the comments section if you experience any issues with this month’s updates.

13 thoughts on “Microsoft Patches 40 Security Holes

  1. Cuddly Dudley

    Well done, MS.

    There is no patch required to opt out of Microsoft’s Security Essentials’ SpyNet:

    How to block Microsoft SpyNet

    When you install MSE, you are presented with two options, neither allow you to opt-out. Thankfully, this article provides step-by-step instructions on opting out of this ‘community’.

    The article instructs users on “Blocking Microsoft SpyNet without losing functionality”.

    Because it’s **my** computer, Microsoft.

    1. truth_or_dare

      Thanks for posting this link Cuddly, I found it informative.

      Do the 20 users that voted this down know something negative about the supplied like that other readers should be aware of?

  2. Phoenix

    After the updates were installed Secunia PSI pops up a “one program removed” message. I wonder what that was.
    Firefox and/or Thunderbird users should also be aware of Mozilla’s updates released last Friday.

  3. JS

    After inheriting 2 Windows 2008 R2 servers, we’re too small scale for SC-SMS or WSUS and yet some of these are important enough to patch immediately given our environment. Thus IE has to be present on our servers just for DL of the patches in a straightforward manageable fashion (IE itself has to be patched too much).

    Im not so happy to undertake a full reboot for these patches, simply because our services & apps require a bunch of regression testing each time.

    If problems with ms patches involve poor availability then this has always been a problem.

    Anything that Microsoft issues is never really fixed unless a reboot occurs even for “minor” dll updates.

    The MS bulletins are not very transparent as to what actually changes on the systems IMHO

    1. xAdmin

      Uh? On one hand you say you’re not large enough to support using other patching methods such as System Center Configuration Manager/Systems Management Server or Windows Software Update Services, but when presented with the simple method of using IE via the Microsoft Update website, you’re complaining? Either play the patching game and the subsequent reboots or leave your systems vulnerable or switch to another platform (that still needs patching).

      Years ago, Microsoft patch quality was an issue, not really a problem these days. Many IT shops install the patches the same week they are released and rarely experience issues. I’m not saying that practice is recommended. I’d rather do more testing to be sure. When issues do come up, 9 times out of 10, the root cause is some other piece of software that didn’t like the changes in the update, something that isn’t always Microsoft’s fault. They do extensive quality control testing of patches, but can’t possibly cover every type of system configuration out there.

      Also, just to make the point, best practice dictates you don’t use your servers to browse the Internet, so using IE just for patch installation (via Microsoft Update) isn’t an issue.

      “MS bulletins are not very transparent as to what actually changes on the systems”

      You’re kidding right? The TechNet (versus the consumer based ones) bulletins themselves provide a wealth of information, while at the same time give links to knowledge base articles that provide further details. Many times for me, there is too much information to sort through. You want the source code? You either trust them with the patches or you don’t and use another platform! No weenie whining! 🙂

  4. PatrickB

    > Thus IE has to be present on our servers just for DL of the patches in a straightforward manageable fashion (IE itself has to be patched too much).

    Try this program to download Windows updates without IE.

    1. jrj

      What about the command line program in system32 dir:
      wuauclt.exe /detectnow

      1. JS

        Thanks for the tips. Google & sites like technet, Stackoverflow are my manuals for the time being.

        However the root of my gripe is Linux is verging on having rebootless kernel patches yet I get a recommendation by Microsoft to reboot an entire server just for IE updates?

        That’s an availability issue for me.

  5. Andy

    I have seen info on the rebootless kernel patches in Linux Format magazine ( Not sure what it is called, I will have a look and post here when I find it.

    It does seem to me that Microsoft are way behind if you have to reboot nearly every time you apply patches. On Linux, it is usually just when the kernel is updated. I am sure Microsoft will catch up one day. Maybe.

    As for the number of patches, it seems Microsoft are cleaning up their code and trying to get it right.

  6. xAdmin

    While I’m not a fan of having to reboot unnecessarily, those complaining about it simply don’t understand the reasons it’s sometimes necessary. Most modern operating systems and many software applications are architected in such a way that various files are in use when the system or application is running which prevent them from being replaced/updated on the fly. Instead, the file changes and in the case of Windows many times, registry changes are staged and held until a reboot allows the locked files to be updated and the new registry settings to become active.

    In the case of many software applications, the reboot requirement can be mitigated by closing all running programs BEFORE patching.

    Until we come up with a different system architecture, rebooting is simply part of the equation. 🙂

  7. OhioMC

    Our organization pushes critical patches as soon as they are released. While not ideal, we have not found any problems doing this. Microsoft must do quite a bit of testing.

    We DO withhold service packs and browser releases (IE) for testing. We have found these to break significant functions, particularly new versions of IE. This has always been due to vendor portal/website coding. For a long time, one key business partner forced us to stay with IE6. Ugh.

    Bottom line, we would rather deal with breaks following patch Tuesday than incur the vulnerabilities and expense of testing Redmond’s hotfixes.

  8. The snowman with bacon fingernails

    The top post was buried by shills, the important info is:

    How to opt-out of Microsoft Spynet
    – Disable Microsoft Spynet

    When you install Microsoft Security Essentials, you are presented with two options with the Spynet ‘feature’. Neither ‘option’ allows you to opt-out of this ‘feature.’ The URL posted here demonstrates the easy path to disabling this ‘feature’. It’s amusing to me the name: “Spynet” and no visible option to opt-out.

    Shills: If you believe you can bury every useful tip which restores power to the users, you’re wrong, you can’t stop the power of information.

    1. CloudLiam

      A far safer and much more useful tip would be to advise the users that don’t wish to participate in Spynet to upgrade to Security Essentials 2.0, which allows you to opt out of Spynet without fear of cocking up your registry.

      Just click Settings/Advanced and tick I do not want to join Spynet and you’re done, but be aware that you are losing an important layer of protection by opting out.

Comments are closed.