Microsoft Patches Nearly 50 Security Holes


Microsoft fixed a total of 49 security flaws with 16 patches -- four of them rated "critical" -- on Tuesday.

Most of the security holes fixed on this "Patch Tuesday" -- so-called because Microsoft (NASDAQ: MSFT) normally releases most of the patches it will issue for each month on the second Tuesday of each month -- affect Windows.

"It's worth noting that only six of the 49 total vulnerabilities being addressed have a critical rating. Further, three of the bulletins account for 34 of the total vulnerabilities," Carlene Chmaj, security response senior communications manager, said in a post to the Microsoft Security Response Center (MSRC) blog Tuesday.

Microsoft uses a four-tier ranking system for security holes with the top rating as critical. The next step down is "Important," which usually means that a vulnerability is more difficult to exploit than one ranked as critical.

Besides the four patches that fix the six critical vulnerabilities, most of the rest are classified as important. (A patch, or Security Bulletin, can contain fixes for multiple related bugs.)

No matter what, security administrators in IT organizations large and small will have their hands full this week as they scramble to get all 49 vulnerability fixes installed and tested before hackers begin to try to exploit this latest batch of bugs.

Microsoft notified security administrators last Thursday that it had a large Patch Tuesday drop coming, its standard procedure for giving them some advance warning about what they need to prepare for.

At the top of Microsoft's critical list this month are vulnerabilities in Internet Explorer (IE) running on Windows clients. That includes IE6, IE7, and IE8 running on all supported versions of Windows, which also encompasses Microsoft's best-selling Windows 7.

The IE patch fixes a total of ten vulnerabilities, most of them ranked as important. Three of them were zero-day flaws that had already been disclosed, but had not been attacked so far, the company said.

Additionally, the patch is what's called a "cumulative update" to IE, so for any administrator who has missed installing any previous IE patches, this will bring those installations up to date.

Microsoft is not alone in calling out that patch for immediate attention.

"It is a critical update for Internet Explorer 6, 7 and 8 and has an exploitability index of 1 indicating that Microsoft believes the vulnerability relatively easy to exploit," Wolfgang Kandek, CTO of security researcher Qualys, said in an e-mail to

Next on Microsoft's list is a hole in Windows Media Player that could let an attacker take over the user's PC. However, the attacker needs to already be authenticated on the local subnet to run on the target PC's subnet, which makes it less likely to affect corporate PCs.

"[The patch] affects Windows Media Player and should be considered critical for home users ... By sending a malicious real time streaming protocol network packet to an unpatched machine, an attacker can take control of the machine," Jason Miller, data and security team leader at Shavlik Technologies," said in an e-mail to

Moving further down, Microsoft patched a hole in the way Windows displays compact Web fonts called Embedded OpenType (EOT) fonts. An attacker could send a user a booby-trapped e-mail message containing a Word or PowerPoint attachment using EOT fonts. Alternately, the attacker could lure a user to visit a site that displays the malicious content.

"It is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious webpage without interaction from the user, making it a good candidate for a 'drive-by' infection campaign," Kandek said.

The final critical patch fixes a hole in Microsoft's .NET Framework 4.0, a framework for building applications that run on Windows -- only this one is specific to 64-bit editions of the operating system.

"[This] is a vulnerability in the .NET framework running under 64-bit versions of Windows, and allows the attacker to take over the target computer. In addition to the client-side component, it is possible for the attacker to use this vulnerability on a server if it allows the upload of ASP.NET code. This is a plausible scenario in Web hosting companies," Kandek added.

More information on October's Patch Tuesday releases is available here.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.

Follow eSecurityPlanet on Twitter @eSecurityP.