Microsoft plugs critical holes in huge Patch Tuesday

Microsoft issued three critical security bulletins on Tuesday, plugging 10 holes that could allow an attacker to remotely take control of a Windows computer via a malicious media file or streaming content, or malicious Web content viewed through Internet Explorer.

Overall, this Patch Tuesday release involves 10 bulletins fixing 34 vulnerabilities affecting all supported versions of Windows, Office XP, Office 2003 and 2007 Microsoft Office System, Office 2004 and 2008 for Mac, Excel Viewer, and Sharepoint Services 3.0.

"This is the largest Microsoft patch release of 2010 and ties the record for the most vulnerabilities ever addressed in a single month; a record set in October of last year," said Joshua Talbot, security intelligence manager at Symantec Security Response. "This month's release also features the largest ever single bulletin, with 14 vulnerabilities in Excel being addressed together."

Microsoft gave the highest deployment priority to the three critical bulletins in a Security Response Center blog post. The first listed, MS10-033, fixes a hole in Quartz.dll and Asycfult.dll and is rated critical on all supported versions of Windows.

The second, MS10-034, is a cumulative update for ActiveX Kill Bits, code that flags specific ActiveX software as unsafe, and is critical on Windows 2000, XP, Vista, and Windows 7. The patch applies Kill Bits for two Microsoft controls--Internet Explorer 8 Developer Tools control and the Data Analyzer ActiveX control, which is not installed by default. The bulletin also includes Kill Bits for four third-party controls.

The third critical bulletin, MS10-035, is a cumulative update for Internet Explorer addressing six vulnerabilities including one that was disclosed in February. The hole could allow information disclosure for users running the browser on Windows XP.

The release also includes a fix for Security Advisory 983438, which involves a vulnerability in SharePoint Services 3.0 that was disclosed in late April and which could lead to a cross-site scripting attack via the browser. Proof-of-concept exploit code has been published publicly but Microsoft said it was not aware of any active attacks using the hole.

Also plugged are holes in the Windows Kernel-Mode Drivers ; the COM (Component Object Model) Validation in Office; the OpenType Compact Font Format Driver; Excel, Internet Information Services and Microsoft .NET Framework.

For bulletin MS10-036 involving COM, Office XP does not have the architecture needed to support the update so Microsoft has made a workaround available that customers can install via a Microsoft Fixit on Windows XP or newer operating systems. The FixIt is available for download from KB983235.

"The most serious is the Windows kernel TrueType font parsing vulnerability," Symantec's Talbot said. "Exploiting this--likely through a drive-by download attack--would give an attacker near system-level privileges. It's doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social-engineering tricks coaxing them to visit unfamiliar Web pages, which could contain a malicious font."

Generally, whenever Microsoft patches IE, it's the top priority to deploy and this rule-of-thumb is doubly true this month," said Andrew Storms, director of security operations for nCircle. "Along with patching a previously disclosed bug, Microsoft is patching a number of other critical security issues in IE this month, including their PWN2OWN bug from CanSec West" in March.

Microsoft provides specific information about assessing the risk of the bulletins on the Security and Research Defense blog.

Update 1:42 p.m. PDT: Meanwhile, Apple plugged four dozen holes in Safari with its latest release of the browser and Adobe said it would issue an update for Flash Player by Thursday, and for Adobe Reader and Acrobat by June 29 to fix a critical hole.