Of the 17 bulletins, nine are rated critical, with the rest rated important. The 64 fixes include all versions of Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET framework, as well as GDI+. The previous record on security fixes was 49 set in October 2010.
While 64 patches might seem like a lot, the number was not unexpected, noted Andrew Storm, director of security at nCircle. “That seems like a huge number of bugs but it’s actually about what we expected. Ever since the middle of last year Microsoft’s bulletin releases generally hit double digits every other month.”
Amol Sarwate, manager of Qualys' Vulnerability Research Lab, commented: “This is a huge update and system administrators should plan for deployment as all Windows systems including Server 2008 and Windows 7 are affected by critical bulletins. Frequently used office applications like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also affected.” Sarwate noted that Microsoft is providing a fix for the MHTML vulnerability and SMB browser issued disclosed earlier this year.
Commenting on the SMB browser issue, Pete Voss, senior response communications manager with Microsoft Trustworthy Computing, said that the company “assessed the situation and reported that although the vulnerability could theoretically allow remote code execution, that was extremely unlikely. To this day, we have seen no evidence of attacks.” In contrast, Voss said that the company was aware of “limited, targeted attacks” stemming from the MHTML vulnerability it disclosed in January.
Paul Henry, security and forensics analyst at Lumension, said that the large number of patches is just plain “ugly”. He noted that all but two of the bulletins “provide for remote code execution. Well into a new year and things have not improved.”
Henry said that there has been a marked increase in spear phishing attacks taking advantage of third-party applications, such RSA’s admission that hackers exploited an Adobe Flash module embedded in a Microsoft Excel spreadsheet to gain access to its database.
“Most spear phishing attacks being reported involve taking advantage of these third-party applications. While the rest of the world is focusing on Windows, the bad guys are taking advantage of the applications we aren’t patching with free patch software that Microsoft makes available. All of this is further evidence that our methods of securing our systems just aren’t up to par”, Henry concluded.