Microsoft is prepping 17 security bulletins for release next week.
Microsoft has plans for a gigantic Patch Tuesday next week, when it will plug
40 security vulnerabilities across a number of products, including critical
bugs impacting Internet Explorer and Microsoft Windows.
The bugs will be squashed by a total
of 17 security bulletins
, two of which are rated "critical."
One of the two critical bulletins affects Internet Explorer
(IE) versions 6, 7 and 8, while the other bulletin impacts Windows XP, Vista
and Windows 7, as well as Windows Server 2003 and 2008.
Microsoft first warned about the critical IE bug last month. According
to the company, the vulnerability exists due to an invalid flag reference in
the browser that can be accessed after an object is deleted. The bug has been
under attack, prompting Microsoft to release an advisory with a handful of
Of the remaining bulletins, 14 are rated "moderate," and the final
bulletin is rated "Important." Included in the mix this
month is a patch for a local
privilege escalation vulnerability
used by the notorious Stuxnet worm,
closing the last zero-day used by the malware.
Twice this year, Microsoft has broken its record for the most security
patches ever. In October, Microsoft
set a new benchmark
with the release of 16 security bulletins to cover 49
vulnerabilities across Windows, Internet Explorer, Microsoft Office and the .NET
"Looking back over 2010, that brings the total bulletin count to 106, which
is more bulletins than we have released in previous years," blogged Mike
Reavey, director of the Microsoft Security Response Center. "This is
partly due to vulnerability reports in Microsoft products increasing slightly,
as indicated by our latest Security Intelligence Report."
The high number of advisories will present a challenge to all Windows system
administrators, especially with the holidays shortening the available working
hours, said Wolfgang Kandek, CTO of Qualys.
"There are two advisories for Microsoft Office file format
vulnerabilities that should be looked at closely and potentially prioritized by
IT administrators," he said.
The update is slated for release Dec. 14.