Page 1 of 2
Microsoft is cleaning out its backlog for the New Year with a record-setting December Patch Tuesday release, repairing a total of 40 security flaws with a 17 bulletins.
To date, the patch is the largest Microsoft has issued, repairing a slew of errors in Microsoft Windows, Internet Explorer, Office, SharePoint and Exchange.
"The running rumor was they had a backlog. As the end of the year was approaching, they decided to go heads down and clear them out," said Andrew Storms, director of security operations at nCircle.
Despite the exorbitant patch load, only two of the patches included in the bulletin repaired flaws given the highest severity ranking of critical, indicating that they could enable hackers to launch remote code execution attacks. Meanwhile, 14 were given a slightly lower priority with the ranking of "important,' and one was rated "moderate."
One of the "critical" updates plugged seven security holes -- five ranked critical, two moderate -- affecting all versions of IE, on both Windows clients and Windows servers, including a zero-day flaw in IE 6, 7 and 8 already used in active attacks.
Specifically, the zero-day vulnerability occurs due to an invalid flag reference issue related to Cascading Style Sheets token sequences, which researchers discovered in the wild in November.
In an attack scenario, hackers could launch malicious attacks remotely by creating a specially crafted Web page, and enticing victims to visit the site, usually through some social engineering scheme. Once opened, the page would automatically download malware onto users' computers, designed to steal data or completely shut down their system.
Microsoft downplayed the threat, maintaining that the number of exploits were minimal.
"Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low," said Microsoft's Mike Reavey, director of the Microsoft Security Response Center, in a blog post, adding that customers running Internet Explorer 8 were further protected from attacks due to the default Data Execution Prevention mechanisms embedded in the browser."
However, in light of the holiday season that facilitates online shopping, Storms underscored the necessity to apply the IE patch as soon as possible. "Any time you have an IE patch, it's always near the top of the list to get that fixed. Given the time of year with everyone online shopping, there are a lot of people going online. They could be susceptible to these kinds of bugs," he said.
