Microsoft fixes record 49 holes, including Stuxnet flaw

Microsoft plugs six critical holes, including one being exploited by Stuxnet, in security bulletin that fixes a record 49 vulnerabilities.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Oct. 12, 2010 11:47 a.m. PT

2 min read

In a record Patch Tuesday, Microsoft released updates today for Windows, Internet Explorer, and the .NET framework that feature fixes for 49 holes, including one being exploited by the Stuxnet worm.

Microsoft recently fixed two of the four unpatched holes being used by Stuxnet to spread to Windows-based machines. The malware ultimately targets systems running software from Siemens that is used in critical infrastructure operations. Today's release plugs one (MS10-073) of the remaining two holes and the company said in a blog post that the final hole will be addressed in an upcoming security bulletin.

Meanwhile, Microsoft provided a priority list for the 16 bulletins being released, which fix 6 holes that are rated "critical." Four vulnerabilities are singled out because there are likely to be exploits developed for them, according to a Microsoft blog that assesses the risks of the various vulnerabilities.

The first bulletin to be deployed should be the MS10-071, a hole in IE 6, 7, and 8 that could allow an attacker to take control of a computer if a user browses to a malicious Web page. Second on the list should be MS10-076, which affects Windows XP, Vista, Windows 7, and Windows Server 2003 and 2008.

Next up is MS10-077, which affects the same operating system versions as MS10-076. The most likely attack vectors are when a victim running 64-bit Windows browses to a malicious Web page or when an attacker is allowed to run ASP.Net code on 64-bit IIS (Internet Information Services) server to run arbitrary code.

And finally there is MS10-075, which is rated "critical" for Windows 7 but only "important" for Vista. It fixes a hole in the Microsoft Windows Media Player Network Sharing Service that could allow an attacker to compromise a system by sending a malicious RTSP (real-time streaming protocol) packet to an affected system.

"Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all," said Joshua Talbot, security intelligence manager at Symantec Security Response. "Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines."

The previous record for vulnerabilities fixed was 34, which was set in October 2009, and reached in June and August of 2010.

Update Oct. 13 at 1:17 p.m. PST Microsoft also has added detection for the Zeus Trojan to its Malicious Software Removal Tool.