Microsoft plugged 34 security vulnerabilities in Windows, Internet Explorer and other products on this month's Patch Tuesday.
10 security bulletins
today to address 34 vulnerabilities,
including several with Microsoft's highest exploitability rating.
The exploitability rating ranks vulnerabilities according to the likelihood
attackers will develop reliable exploit code. Three of the bulletins are rated "critical."
Among them is MS10-033, which plugs two Windows security vulnerabilities that
could allow an attacker to exploit remote code if a user is tricked into
opening a malicious media file or receives specially crafted streaming content.
The other critical bulletins
, which address two Windows vulnerabilities, and
, a cumulative update for Internet Explorer that swats a number of
bugs. Among them, noted Qualys CTO Wolfgang
Kandek, is the bug exploited earlier this year in the Pwn2Own
To Symantec's Joshua Talbot, the most serious vulnerability is actually the
Windows kernel TrueType font parsing issue covered
"The most serious is the Windows kernel TrueType font parsing
vulnerability," said Talbot, security intelligence manager for Symantec
Security Response, in a statement. "Exploiting this-likely through a drive-by
download attack-would give an attacker near system-level privileges. It's
doubtful that attackers would compromise a legitimate site to exploit this
vulnerability, so users should be extra cautious of social engineering tricks
coaxing them to visit unfamiliar Web pages, which could contain a malicious
The fixes also include a patch for a vulnerability
in Microsoft SharePoint
the company warned about in late April and a
massive update for Microsoft Office that patched
"Customers should review their asset management systems and verify that all
Windows XP devices have been upgraded to SP3 and that all Windows 2000 devices
have been replaced or removed from the network," advised Josh Abraham, a
security researcher with Rapid7. "The most critical area of weakness for many
organizations are third-party devices that are still using these operating
systems. For these systems, customers will need to contact the vendor and verify
the upgrade process."