Microsoft to fix 49 holes in Windows, IE, Office, and .NET

Microsoft to fix record number of vulnerabilities in next week's Patch Tuesday updates.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Oct. 7, 2010 1:00 p.m. PT

2 min read

Microsoft will fix a record 49 vulnerabilities in its Patch Tuesday release next week that will involve 16 security bulletins affecting Windows, Internet Explorer, Office, and the .NET framework.

Four of the bulletins carry a "critical" rating, 10 are rated "important," and two are "moderate," according to the advisory.

They affect specifically Windows XP, Vista, Windows 7, Windows Server 2003 and 2008, Microsoft Office XP Service Pack 3, Office 2003 Service Pack 3, Office 2007 Service Pack 2, Office 2010, Office 2004 for Mac and 2008 for Mac, Windows SharePoint Services 3.0, SharePoint Server 2007, Groove Server 2010, and Office Web Apps.

Microsoft did not indicate whether two unpatched Windows holes that are being exploited by the Stuxnet worm will be fixed next week. Microsoft previously patched two other zero-day vulnerabilities in Windows the worm was using and said during last month's Patch Tuesday release that two more holes being used by Stuxnet needed to be plugged. Stuxnet spreads through the Windows vulnerabilities but was designed to target industrial control and critical infrastructure systems running Siemens software.

This is the highest number of vulnerabilities fixed in one Patch Tuesday release; the previous record was 34 holes fixed in August.

Meanwhile, in a tacit acknowledgment that after-the-fact patching isn't enough, Microsoft is proposing new ways to address security issues online. Earlier in the week, Microsoft released a paper (PDF) written by Scott Charney, corporate vice president for Microsoft's Trustworthy Computing, in which he proposes applying public health models to the Internet.

He suggests that computers could be given "health certificates" indicating whether they have the latest software patches, their firewalls are installed and correctly configured, antivirus programs are up-to-date, and that they are free of malware. If the health certificate indicates that something is amiss, an ISP could notify the computer user about the problem, and if the computer is being used in an attack, the bandwidth could be throttled to curb that activity, he said.

Comcast is already taking action to alert its Internet-using customers to possible malware on their computers as part of its anti-botnet service. And Brian Krebs reports that the FCC may do more to encourage ISPs to be more proactive in protecting consumer PCs.