Microsoft Fixes 23 Bugs, Report Examines 'Zero-Days'


It's going to be a busy Patch Tuesday for security professionals who are responsible for keeping Microsoft software up to date.

Not only is Microsoft (NASDAQ: MSFT) releasing a fairly sizeable patch drop -- that includes fixes for some 23 bugs in eight patches, two of them ranked "critical" on the company's four-tiered severity scale -- but also it released the latest installment of its Security Intelligence Report (SIR).

That's not light reading and, despite the fact that only two of the eight patches are rated high-priority, the patches themselves are not going to be easy lifting either.

The most important patch is a cumulative update to Internet Explorer (IE) that fixes eight privately disclosed vulnerabilities in IE, while the other critical patch fixes a hole in Microsoft's .NET Framework and Microsoft Silverlight.

"None of the patched issues are related to active exploits [so-called 'zero day' attacks], however users are urged to patch this as a high priority," Paul Henry, security and forensic analyst at researcher Lumension, said in an email to

Additionally, most of October's patches, critical or not, need attention and will require hours of work by security administrators to roll out.

"Nearly all require a restart which will cause widespread disruptions across both Internet-connected servers and user community desktops," Henry added.

Meanwhile, Microsoft's SIR volume 11 focuses on the dangers of zero-day exploits. Previous recent reports focused on "marketing-like" scams and scareware, as well as botnets and the use of users' PCs as bots or zombies to send spam and other malware.

In fact, two weeks ago, the company trumpeted shutting down yet another botnet -- called "Kelihos" -- and for the first time the company's attorneys were able to actually identify a perpetrator by name who could be sued under malware laws.

In SIRv11, as it's called, Microsoft said it took its deepest dive yet regarding how malware proliferates -- approximately 800 pages of threat intelligence.

"One question I frequently get asked when talking to customers about global malware threats is how exactly do the top malware families successfully spread?" Tim Rains, director of product management for Trustworthy Computing Communications at Microsoft, said in a blog post that accompanied the release of SIRv11.

The answer is a little surprising, given how much attention the topic gets.

"The risk associated with zero-day exploits is real and should be represented in organizations' risk management plans," Rains said.

"[However, the] ... part of the study focusing on vulnerability exploit attempts revealed that zero-day exploitation accounted for about 0.12 percent of all exploit activity in the first half of 2011, reaching a peak of 0.37 percent in June," Rains added.


Stuart J. Johnston is a contributing editor at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.