Microsoft's security Christmas stocking is full to overflowing

Stephen Withers
Wednesday, 15 December 2010 07:43

Business IT - Security

Microsoft has released 17 security bulletins, making December 2010's Patch Tuesday one of the biggest ever. Two of the bulletins address vulnerabilities that are already being exploited. Unusually, Microsoft has given advance notice of a security improvement for Office 2003 and 2007 that won't be available until next year.

40 vulnerabilities are addressed by this month's security updates from Microsoft, which cover all currently supported versions of Windows, plus Office, Exchange Server and SharePoint Server.

Two of the bulletins are regarded as critical. One covers multiple vulnerabilities in Internet Explorer 6, 7 and 8, some of which can be exploited to allow remote code execution. The other concerns multiple vulnerabilities in the OpenType Font driver which also allow remote code execution.

Other affected components include Windows Media Encoder, Windows Movie Maker, Task Scheduler (a vulnerability exploited by the notorious Stuxnet malware)kernel-mode drivers, routing and remote access, Consent User Interface, Netlogon service, and Hyper-V.

There is also a group of vulnerabilities affecting various components when opening files stored in the same remote file system location or WebDAV share as a maliciously crafted library file. 

Sophos senior security advisor Chester Wisniewski noted that the updates do not address a publicly disclosed (but only locally exploitable) privilege escalation vulnerability in the Windows kernel, or a publicly disclosed vulnerability in Internet Explorer's CSS handling.

Page 2: Exchange and Office patches, and plans to improve Office 2003/2007 security.