Microsoft Issues Record Number of Security Updates

Microsoft Corp. on Tuesday issued an unprecedented number of updates to fix security problems in PCs powered by its Windows operating systems and other software: The software giant released patches to plug at least 34 security holes, the highest number of vulnerabilities it has ever addressed in a single month. October's batch of patches offer a little something for all Windows users, fixing security issues in Windows applications from the Internet Explorer (IE) browser and Microsoft Silverlight, to Microsoft's Internet Information Services (IIS) server, said Tyler Reguly, lead security research engineer at security vendor nCircle. "Again we see a month of client-side issues in almost every major Microsoft product," Reguly said. "Whether you run Office, Windows Media Player, Internet Explorer, .NET or just Windows itself, there's a vulnerability for you." Two-thirds of security holes addressed this month earned Microsoft's "critical" rating - it's most severe. Microsoft labels a security flaw critical if bad guys can exploit it remotely to take complete control over a Windows system, without any help from the victim. Compounding that threat is the fact that information about how one might exploit several of these flaws has already been released online, said Woflgang Kandek, chief technology officer for Qualys, a software update management firm. "The descriptions in a number of updates today include some kind of indication that attackers were already aware of these vulnerabilities, and if they're not exploiting them right now would be fairly easy to come up with exploits for most of them," Kandek said. Among the flaws patched in this month's release is a set of vulnerabilities in the file-sharing capability of Windows Vista and Windows Server 2008 systems. This issue earned a great deal of attention last month because proof-of-concept exploits that attackers might use to figure out how to attack the flaw were posted on the Web. Microsoft also issued a patch to address a remarkable security weakness in a Microsoft component responsible for handling Web site encryption certificates (also known as "secure sockets layer" technology, SSL is what prevents other users on a network from eavesdropping on your sensitive communications, such as with your bank's Web site). On Monday, someone published online a template that other hackers could used to forge SSL certificates for Paypal.com. It would hardly be a Patch Tuesday without a bundle of security updates for Internet Explorer, and this month's batch doesn't disappoint. Microsoft fixed at least four IE-specific vulnerabilities, including one for an IE flaw that was publicly disclosed prior to today. Fixes are available for all versions of Internet Explorer, including IE 6, 7 and 8 (as well as the release-to-manufacturer version of IE8 that ships with Windows 7). Updates are available via Windows Update Web site, or through Automatic Updates. As always, please drop us a note in the comments section below if you experience any funky problems with your Windows system after applying these updates.