Microsoft really outdid themselves this month by releasing the biggest patch Tuesday ever and fixing a whopping 49 vulnerabilities. Computer World reports that there are 16 groups of patches total and two patches in particular should get priority. One is patch MS10-071 for Internet Explorer and the other is for Windows, number MS10-076. Microsoft feels that it is very likely that attack code will be developed targeting the vulnerabilities fixed by those two patches.
NCircle Director of Security Operations Andrew Storms agrees that those two updates should be a top priority as they could be leveraged in a drive-by Internet attack. In this common type of attack, a hacker tricks the victim into visiting a Web page that takes advantage of the bug to install a malicious program on the victim’s machine.
The MS10-071 update for IE fixes 10 bugs, 2 of which are rated Critical and could be used in a drive-by attack. MS10-076 fixes a single bug in the Windows Embedded OpenType (EOT) Font Engine which Internet Explorer uses. Newer versions of Windows have ASLR (address space layer randomization) that protect from attacks on that kind of bug. Therefore, Windows XP is expected to be the target for exploits on the EOT bug along with other older versions of Windows.
Two other updates that are regarded as crucial are MS10-077, a fix for a .NET framework bug that affects only x64 systems, and MS10-075 which fixes a bug in Microsoft Windows Media Player Network Sharing Service which is used by Windows Media Player to share media over the network. In addition to the high profile updates there are a number of lower-ranking vulnerabilities that are regarded as possible avenues of attack, specifically 35 out of the 49 bugs could allow unauthorized code execution. As a result, Microsoft expects a number of exploits for lower-ranking bugs.
Stuxnet teaches us that bugs that aren’t ranked Critical can still be dangerous,
one of Tuesday’s updates — MS10-073; rated important by Microsoft — fixes a Windows XP bug that was leveraged by the creators of the Stuxent worm. Stuxnet is the first publicly known worm built to attack industrial systems and it has made headlines during the past weeks amidst speculation that it was designed to target nuclear systems in Iran.
For more info see the official Microsoft bulletin.