Microsoft Plugs 26 Vulnerabilities With 13 Patches In Record Update

Of the 13 patches Microsoft released Tuesday, five are rated critical, seven are given the slightly less severe ranking of "important," and one is deemed "moderate."

The majority of bulletins -- 11-- addressed security vulnerabilities in Windows, while the remaining two affect older versions of Microsoft Office. Altogether, the monster patch plugged security critical holes in SMB client, ActiveX, Windows Shell Handler, Windows TCP/IP and Microsoft DirectShow.

Microsoft researchers say that one of the top priorities for users patching their systems should be a critical vulnerability in DirectShow. Hackers could infect victims with malware by hosting a malicious AVI file on a Web site, and then entice a user to visit the site with a malicious link embedded in an e-mail or IM message, typically through some social engineering scheme.

Meanwhile, experts also say that some of the most critical vulnerabilities addressed by patch MS10-009, occur in the Windows TCP/IP. Hackers could exploit the vulnerabilities to launch malware by sending infected packets to a computer with IPv6 enabled. The attackers could then crash a user's system in addition to stealing financial and personally identifying data.

"Even if an attacker isn't able to gain remote code execution, they may just be able to crash the system," said Joshua Talbot, security intelligence manager for Symantec security response. "That could have some severe implications for critical infrastructure."

Security experts say that the flaw enables hackers to launch malicious attacks on victim's computers by embedding code inside MS Office files or on Web sites. "Simply browsing an infected Web site will compromise unsuspecting users -- not great for all the holiday shoppers looking to get a jump on their shopping," said Andrew Storms, director of security operations for nCircle, in an e-mail. "The novelty value of this bug is likely to attract researchers. A lot of people will try to be the first to publicly post exploit code."

Talbot also highlighted several bugs in the Server Message Block Server, repaired by Microsoft bulletin MS10-012, which allows hackers to launch malicious attacks by creating a malicious SMB packet and sending it to a vulnerable computer. While the vulnerability is mitigated by the fact that it requires authentication, Talbot pointed out that attackers could exploit the flaw by easily bypassing guest account restrictions.

"SMB servers are often used for data repositories to share files throughout companies. This could be a particularly interesting target for attackers to steal information," Talbot said.

And not just for insiders, he added. "If (victims) didn't' have proper firewalling, an attacker could reach the server via the Internet. It's common for corporations to have laptops and employees that use unsecured wireless. All it takes is one attacker sitting on that wireless network."

Microsoft also released a critical patch for a vulnerability in the Windows Shell Handler affecting Windows 2000, Windows XP and Windows Server 2003, which attackers could exploit by sending a malicious link that appears to the ShellExecute API to be valid. In addition, Redmond issued a cumulative critical patch for ActiveX Killbit flaws.

While so far there are no in-the-wild attacks exploiting the vulnerabilities, proof-of-concept exploit code exists for two vulnerabilities addressed by Microsoft bulletin MS10-015, addressing errors designated as "important" in the Windows Kernel that could enable elevation of privileges if an attacker logged onto the system then ran a malicious application.

So far, security researchers say they have seen no attacks exploiting the issue.

Despite that fact, Microsoft researchers advised users to upgrade their aging legacy systems to protect themselves from possible threats that may emerge after the patches are released. Many of the most critical patches repaired vulnerabilities in aging Windows systems, such as Windows 2000, XP and Server 2003. "We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built into these products," Microsoft said in a company blog post.