Microsoft has a big bag filled with "presents" for security professionals and administrators this December – one of the largest patch releases in the company's history. But it brings with it a lot of work for those staffers to get done before, or during, the holidays.

On December's Patch Tuesday security fix release, Microsoft (NASDAQ: MSFT) shipped 17 patches, primarily for Windows and Internet Explorer (IE). Microsoft warned IT staffers last Thursday that the blizzard of patches was coming.

All told, Microsoft is fixing a total of 40 security flaws. While most are rated "important," or second most dangerous on Microsoft's four-tier severity scale, two of the patches fix some seven separate "critical" vulnerabilities – the highest level. However, only two of those flaws have been publicly disclosed and, of those, one has been exploited on a limited basis "in the wild."


"We've assigned our highest deployment priority to the two critical bulletins [patches], though we recommend that customers deploy all updates as soon as possible," Angela Dunn, senior marketing communications manager, said in a post on the Microsoft Security Response Center (MSRC) blog, Tuesday.

One of the fixes in the first critical patch repairs a security hole in IE that Microsoft first warned users about in early November.

That bug mainly affects IE 6 and IE 7 users – IE 8 users are "at reduced risk," according to a post to Microsoft's Security Research & Defense blog.

The other three security vulnerabilities fixed by the same critical patch are aimed at thwarting hackers from launching a variety of memory corruption errors and cross-domain attacks on IE – often they can be tripped by simply visiting a booby-trapped website, resulting in the complete takeover of the user's PC.

Meanwhile, the second critical patch fixes three critical holes in OpenType, a popular scalable font technology for the Web used in Windows.

"All three issues were privately reported and we are not aware of any active attacks using them," Gunn's post continued.

Those bugs too could cause havoc, though – a user who came into contact with an attack program could find his or her PC hijacked with no other interaction needed.

"Users of Windows XP and 2003 are not affected, because the 'shell preview' [which is where the problem lies] functionality was added in the next generation of the Windows OS family. [But] users of Vista, Windows 7 and Windows Server 2008 need to apply this update and should do so immediately as this is an easily exploitable flaw," Wolfgang Kandek, Qualys CTO, said in an e-mail to InternetNews.com.

Then there are the 15 other patches, all but one rated important – and mostly affecting various versions of Windows, although Office, SharePoint, and Exchange. The last patch affects Exchange but ranks in the low risk category of "moderate."

What the giant holiday patch drop may do, however, is get administrators wishing that Microsoft had fixed some of the bugs last month, which was sleepy in comparison.

"Microsoft really is making waves by dropping 17 bulletins – another record Patch Tuesday – on the industry in a month where resources are already limited," Rapid7 security researcher Josh Abraham, said in an e-mail to InternetNews.com.

Don Leatham, senior director of solutions and strategies at security firm Lumension, agreed.

"The December patch Tuesday is definitely giving IT security teams the feeling that the Grinch could have the upper hand on Santa this holiday season," Leatham added.

Further information about Microsoft's Patch Tuesday release for December is available online.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with browser security news – follow eSecurityPlanet on Twitter: @eSecurityP.