Microsoft to plug critical IE, final Stuxnet Windows holes
On Patch Tuesday, the software giant will release 17 updates plugging 40 holes. Microsoft also says its 106 security bulletins for 2010 is a record.
Microsoft said today that next week's Patch Tuesday will bring 17 updates plugging 40 holes and featuring two rated "critical," including one in Internet Explorer that was targeted in attacks last month.
The critical IE vulnerability was written for IE 6 and 7 but IE 8 is also vulnerable, Microsoft said when it issued a warning about it in November.
Also fixed on Tuesday will be the final of four holes in Windows that the Stuxnet malware used.
"This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware," Mike Reavey, director of the Microsoft Security Response Center, said in a blog post.
Windows (all supported versions), Office, IE, SharePoint, and Exchange are affected by the bulletins, today's advisory says.
This brings Microsoft's total bulletin count for the year to a record 106, Reavey said. He attributed that to vulnerability reports in Microsoft products increasing slightly and older products "meeting newer attack methods, coupled with overall growth in the vulnerability marketplace."
"Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known," Reavey wrote.