Record Patch Tuesday yields critical Windows, IE fixes

Microsoft issued a record number of monthly patches on Tuesday, including fixes for eight critical holes affecting Windows, Internet Explorer, Microsoft Word, and other programs that could be exploited to take control of a computer.

Of the 14 patches addressing a total of 34 vulnerabilities, four of them should be given priority, Microsoft said in a Microsoft Security Response Center blog post:

• MS10-052, which resolves a vulnerability in Microsoft's MPEG Layer-3 audio codecs that could allow remote code execution if a specially crafted media file were opened or a Windows user received specially crafted streaming content from a Web site.

• MS10-055, which fixes a hole in Windows Media Player's Cinepak Codec that could allow remote code execution if a computer opens a specially crafted media file, or receives specially crafted streaming content from a Web site.

• MS10-056, which resolves four flaws in Microsoft Office, including one that could allow remote code execution if a computer user opens or previews a specially crafted rich text format e-mail.

• MS10-060, which plugs two holes that could allow remote code execution, in Microsoft .Net Framework and Microsoft Silverlight.

None of those vulnerabilities has been seen exploited in the wild yet, Microsoft said. The six other bulletins are rated "Important," and two of them, MS10-047 and MS10-048, are Windows Kernel updates.

A chart-based breakdown of the vulnerabilities, their severity and other information is on the Microsoft TechNet blog. Additional details on all the fixes are in the August Security Bulletin Summary.

Affected software includes: Windows 7; Windows XP; Vista; Windows Server 2003 and 2008; Windows Server 2008 release 2; IE 6, 7 and 8; Office XP Service Pack 3; Office 2003 Service Pack 3; 2007 Microsoft Office System Service Pack 2; Office 2004 and 2008 for Mac; Office Word Viewer; Office Compatibility Pack for Word, Excel and PowerPoint; 2007 File Formats Service Pack 2; Microsoft Works 9; and Silverlight 2 and 3.

As part of Patch Tuesday, Microsoft also released Security Advisory 2264072, which warns of a problem affecting Windows XP, Vista, Windows 7, Server 2003 and 2008 that could be used to leverage the Windows Service Isolation feature to gain elevation of privilege on the machine. Windows Service Isolation feature is an optional configuration. The advisory also includes information about a non-security update addressing an attack vector through Windows Telephony Application Programming Interfaces.

Meanwhile, the August bulletins close Security Advisory 977377, which described a spoofing vulnerability. Microsoft worked with the Industry Consortium for Advancement of Security on the Internet to develop a new standard to address the issue.

Last week, Microsoft released an emergency patch for a critical Windows vulnerability that was being exploited by a fast-spreading virus and other malware. The so-called "shortcut" vulnerability could be used by attackers to take control of a computer.

On Tuesday, Microsoft added Stuxnet and related Windows viruses Sality and Vobfus to its Malicious Software Removal Tool.

"It's another movies-to-malware month for Microsoft," said Andrew Storms, director of security operations at nCircle. "Four of the 14 bulletins this month fix bugs in media applications. Already this year Microsoft has fixed bugs in media applications or media file formats in February, March, April, and June, so this month continues an obvious and growing trend. So much of what people do on the Internet these days includes videos or music and malware writers continue to take advantage of the fact that people are less aware of malware embedded in these files."

Adobe also released security updates for 10 critical holes in Flash Player and Flash Media Server, as well as an important hole in ColdFusion on Tuesday.

Updated 1:18 p.m. PDT with Adobe releases.