Critical IE Update In Largest Patch Tuesday

Microsoft released a total of 17 updates on Tuesday addressing 40 software vulnerabilities in the largest Patch Tuesday update. Of the 17 updates, only two were rated “critical”.

“Both MS10-090 and MS10-091 are pretty critical, I think,” said Andrew Storms, director of security operations for nCircle Security. “Microsoft’s evaluation seems in line with what I would expect, and shows that they’re giving a pretty fair and balanced representation of priorities.”

The Internet Explorer fix (MS10-090) addressed seven flaws, six of which were critical; most of the flaws were used in hacking attacks.  This flaw affects every supported version of Internet Explorer excluding IE9, says Microsoft.

The second critical flaw (MS10-091) fixes a bug in font handling.  Microsoft says MS10-091 is a Windows update, but also indirectly affects IE and any other browser that uses OpenType — including Firefox, Chrome, Safari and Opera.

Microsoft has not said whether or not these browsers need to be patched separately or not.  Opera Software, which uses OpenType, said their browser does not need to be patched.

“The patch for Opera is the referenced Microsoft [MS10-091] patch, as it is not possible for the [browser] to protect itself against the problem, except by disabling webfonts, since the problem is in the OS’s handling of fonts,” said Thomas Ford, an Opera spokesman.

Though Microsoft has patched many problems, they haven’t released a fix for the CSS vulnerability which was released in a mailing list last week.

Five other patches fixed many components which were used in DLL hijacking.  Though there are many other components that need fixing, this is a great step-up from the lousy one patch in October.

According to Symantec, this Patch Tuesday broke multiple records and broke total updates in one year.

“Seventeen bulletins are the most ever issued in a single month,” said Joshua Talbot, security intelligence manager of Symantec.  “Also, Microsoft has now released 106 security bulletins in 2010 – the first time topping the century mark since the Patch Tuesday program began. The next closest was 78 in 2006 and 2008.”

Of the total 40 individual patches, nine were critical, 29 as important, and two as moderate.

Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), believes the large number of patches are due to Microsoft going through their backlog of reported vulnerabilities.

“We encourage customers to install all the updates as soon as possible,” said Bryant in an interview with ComputerWorld earlier this week, pointing to MS10-090 and MS10-091 as the two to fix first. “They can then look at the [others] and prioritize them [for deployment], perhaps after the holidays.”