Microsoft Fixes 40 Vulnerabilities in Final Patch Tuesday for 2010

In its final Patch Tuesday for the year, Microsoft plugs a total of 40 security holes, including a critical vulnerability in Internet Explorer.

Microsoft bid farewell to 2010 Patch Tuesday updates with 17 security bulletins and 40 security fixes, among them a patch for an Internet Explorer vulnerability first disclosed in November.

Two of the 17 bulletins are rated "Critical"-the IE bulletin and another that covers three vulnerabilities in Windows' OpenType Font driver-while 14 are rated "Important" and the remaining one is rated "Moderate."

The IE bulletin resolves seven issues that affect all supported editions of the browser across all the versions of Windows.

"The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November," said Andrew Storms, director of security operations at nCircle. "With more and more people shopping online this time of year, it's important for everyone to patch their browsers."

The zero-day is the only flaw among the IE bugs known to have been successfully exploited, Microsoft said.

The other critical bulletin, MS10-091, should also be a top priority, security pros said.

"This bulletin addresses and issue with the OpenType Font Driver," noted Jason Miller, data and security team leader at Shavlik Technologies. "If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel. In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file. If the folder has thumbnail view set, no user interaction is required for a successful exploit."

Five of the bulletins released today (MS10-093, MS10-094, MS10-095, MS10-096, and MS10-097) address the insecure Library Loading issue identified in August on different components, Miller added.

"It is not surprising these five bulletins were released," he said. "Products that are affected by this vulnerability are still being found by Microsoft."

Another bulletin that administrators should pay particular attention to is MS10-105, opined Qualys CTO Wolfgang Kandek. The bulletin covers seven vulnerabilities in Microsoft Office, and could allow remote code execution if the user views a specially-crafted image file using Microsoft Office.

Microsoft also swatted a privilege escalation bug used by the Stuxnet worm, the last of the zero-days the malware exploited to infect systems.