Patch Tuesday: 17 security updates, fixing 40 vulnerabilities in Windows and Internet Explorer

Two of the updates, Infosecurity notes, were tagged critical, MS10-090 and MS10-091.

Commenting on the updates, Wolfgang Kandek, CTO with cloud security specialist Qualys, said that only two of the bulletins are critical and both should be high on your priority lists for immediate roll-out.

"MS10-090 is an update for all versions of Internet Explorer and includes a fix for the 0-day vulnerability KB2458511. The underlying vulnerability is neutralised by DEP, which is standard on IE8, a good example of why keeping up with the latest software versions is beneficial to the overall robustness of the system", he said.

"Microsoft has attack tracking statistics for KB2458511 on their MMPC blog, and while it seems that attacks are not very widely spread, we have heard that they have picked up recently", he added.

Kandek, who has posted a video about the updates, went on to say that the second critical bulletin – MS10-091 – is located in the OpenType Font driver. The vulnerability can be triggered by simply browsing to a directory that contains the malicious file – no further interaction is required.

Over at Ncircle, meanwhile, Andrew Storms, the firm's director of security operations, said that Microsoft is clearly ending this year on a high note, with their highest number of bulletins ever.

"With a record 17 bulletins and a CVE count of 40, we are getting a huge number of individual bug fixes", he said, adding that the most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November.

"With more and more people shopping online this time of year, its important for everyone to patch their browsers," he said, adding that the patch fixes what looks like the final bug related to Stuxnet, a pervasive worm that worked its way into some of the most important networks around the globe.

Joshua Talbot, security intelligence officer with Symantec, said that Microsoft has now released 106 security bulletins in 2010 – topping the century mark for the first time since the Patch Tuesday program began.

"The next closest was 78 in 2006 and 2008. Finally, by Symantec's count, Microsoft far surpassed the number of vulnerabilities patched in a single year with 261. The previous record was 170 set last year", he said.

What’s Hot on Infosecurity Magazine?