Microsoft Fixes Record 49 Bugs In October Patch Salvo

In its October Patch Tuesday salvo, Microsoft issued 16 security bulletins that fix a record 49 vulnerabilities, including critical remote execution flaws in Internet Explorer, Windows Media Player and the .NET framework.

Microsoft assigned its highest severity rating of "critical" to four of the bulletins and is urging administrators to apply these first because of their potential to be used in remote code execution attacks.

Microsoft's MS10-071 update addresses ten vulnerabilities in Internet Explorer, seven of which were reported to Microsoft privately and three of which have been publicly disclosed. In the worst case scenario, a remote attacker could gain control over a user's PC by getting them to visit a rigged Webpage.

The MS10-075 update fixes a privately reported flaw in the Windows Media Player Network Sharing Service that attackers could exploit by sending specially crafted RTSP packet to an affected PC. The impact of this flaw is mitigated somewhat because most versions of Windows disable home media by default, which means an attacker would have to be on the same subnet to exploit it.

However, Windows 7 Home Edition does enable this feature in its default setting, Microsoft noted.

Next: Why Windows Vista And Windows 7 Are Safer

Another critical bulletin, MS10-076, patches a vulnerability in a Windows component called the Embedded OpenType (EOT) Font Engine, and could also be exploited by getting a user to browse to a rigged Webpage. But Microsoft says Address Space Layout Randomization (ASLR), a security feature that's built into Windows Vista and Windows 7, will make it tough for attackers to build an effective exploit.

Microsoft's MS10-077 bulletin fixes a private reported flaw in the .NET Framework, which is limited to 64-bit systems but could be exploited on both client PCs and servers. In the former scenario, a user could be infected by visiting a malicious Webpage, while in the latter attackers could target a server running IIS that's been set up to handle ASP.NET pages.

Microsoft last month released an out-of-band patch for a vulnerability in the ASP.NET framework for Windows Server that was being used in targeted attacks in the wild.

Although many of this month's fixes targeted older Microsoft products, this month's Patch Tuesday blew away the previous record for vulnerabilities, 34, which was reached in August, June, and last October.

Despite the high number of flaws, Microsoft was quick to note that only a fraction of these were actually critical.

Next: Microsoft Says Not All Bugs Critical

"It's worth noting that only six of the 49 total vulnerabilities being addressed have a critical rating. Further, three of the bulletins account for 34 of the total vulnerabilities," said Carlene Chmaj, senior communications manager for Microsoft's Security Response team, in a Tuesday blog post.