Feeds

Microsoft releases fixes for record number of vulns

49 bugs squished

High performance access to file storage

Microsoft on Tuesday issued updates that plug a total of 49 security holes in Windows, Internet Explorer, and other software, the largest number of bugs ever to be fixed in a single Redmond Patch Tuesday release.

Microsoft classified six of the 49 vulnerabilities as critical, a severity rating that's generally reserved for bugs that allow adversaries to remotely execute malware on a Windows machine with little or no interaction needed by the user. Several other bugs, however, also make it possible to run code of an attacker's choosing, including flaws in the Windows common control library and the Microsoft foundation class library.

Those flaws carried lesser ratings because they can be exploited only when third-party browsers and file-archiving programs are used. Users who fall into these categories may want to give the vulnerabilities a higher severity rating, Microsoft said. What's more, 35 of the flaws could give attackers the means to run malicious code on victim's machines, antivirus provider Symantec said.

Ten of the vulnerabilities reside in IE, with two of them rated as critical. That gives rise to drive-by attacks in which victims are infected by doing nothing more than visiting a booby-trapped website. The elevated threat applies to IE versions 7 and 8 running on Windows Vista and Windows 7 even though those platforms have been designed to lessen the affect of such exploits.

Another update fixes a privilege-escalation vulnerability in Windows XP that was exploited by the Stuxnet worm, which researchers believe may have been unleashed to disrupt Iran's nuclear program. The malware spread by exploiting a total of four previously unpatched Windows vulnerabilities. With Tuesday's release, three of those vulns have been patched and a fourth — which also allows attackers to escalate limited system privileges — will be plugged in a future update, Microsoft said.

The record patch batch from Microsoft came on the same day that Oracle fixed a huge number of bugs in a wide variety of software, including 29 security holes in its Java platform.

According to McAfee, the 49 vulnerabilities fixed on Tuesday shatter a previous record of 34, which was set in October 2009 and then tied in June and August.

Other Microsoft software that's affected includes the .NET foundation and Office. As usual, SANS has a helpful summary of all the updates, which is here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.