Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.
“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”
McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.
Microsoft said at least eight of the vulnerabilities were publicly disclosed prior to the release of today’s patches. The software giant also fixed one of the two remaining zero-day flaws exploited by the Stuxnet worm, a complex family of malware pegged by researchers as a weapon built to attack industrial control systems embedded in facilities like power and chemical manufacturing plants.
At the top of the critical list is an update for Internet Explorer versions 6 through 8 that plugs at least 10 security holes in the default Web browser on Windows, including two flaws that were disclosed previously. Several of the IE flaws are marked critical even on the latest versions of Microsoft’s products, including IE8 running on Windows 7 systems.
Two updates for versions of Microsoft Word and Excel comprise about half of the vulnerabilities addressed in today’s release.
Today’s fixes are available through Windows Update or by enabling Automatic Update in Windows. As always, if you experience any glitches or problems applying these patches, please drop a note in the comments section.
For more information on the patches, check out SANS Internet Storm Center‘s Black Tuesday roundup, as well as Microsoft’s Security Research & Defense blog.
Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.