Microsoft Launches New Security Patches
Leaving besides two vulnerabilities that were claimed critical by Microsoft, 40 separate flaws in this Patch Tuesday (December 14, 2010) including Microsoft Windows, Office, Internet Explorer (IE), SharePoint, and Exchange rating were fixed by Microsoft.
Patch Tuesday can be defined as the second Tuesday of each month, during which Microsoft releases security patches. Microsoft security bulletins claimed this year (2010) to be very hectic. And with the addition of 17 security bulletins, Microsoft has crossed 106 bulletins for the year as of December 2010, which is a 43% rise from the 74 security bulletins detected in 2009.
Commenting on the matter, Joshua Talbot, Security Intelligence Manager at Symantec Security stated that Microsoft has exceeded the number of vulnerabilities patched during a single year with 261 vulnerabilities patched during 2010 compared to 170 in 2009, as reported by The Register on December 15, 2010.
Another critical fix (MS10-091) can handle a bug caused in font, which presents an execution bug on latest versions of Windows and a less-privileged escalation flaw on Windows XP.
A use-after-free error, which is set within the 'mshtml.dll' library, is the root cause of this issue. It is caused when a web page referring to a Cascading Style Sheets (CSSs) is processed. This file contains various @import' rules that can help remote attackers execute malicious code through a specially designed webpage, reports VUPEN, which acclaimed this as a "critical" flaw.
This flaw is confirmed with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3 by VUPEN, reports eWEEK, December 12, 2010.
Another dangerous fix addresses 5 serious vulnerabilities in Internet Explorer, of which some have been utilized in hacking attacks as an outburst of anger. Patching will be required for all the present versions of IE. 6, 7, and 8 versions of the Internet Explorer across multiple versions of Windows such as, Windows 7 and Windows Vista are being affected by the bug.
The left over patches (14 important and one moderate) contains a fix that takes care of the outstanding unpatched flaw, which is exploited by the Stuxnet worm. Commenting, Mike Reavey, Director of Microsoft Security Response Center stated that, this was a local elevation of privilege flaw, although there were no evidence of its utilization in active exploits other than the Stuxnet malware, as reported by InformationWeek on December 10, 2010.
Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails
» SPAMfighter News - 22-12-2010