Microsoft will patch a record 64 vulnerabilities, unleashing 17 bulletins next week, 9 rated “critical” that address flaws in Windows and Internet Explorer.
This is a huge update and system administrators should plan for deployment as all Windows systems including Server 2008 and Windows 7 are affected by critical bulletins.
Amol Sarwate, manager of the vulnerability research lab, at Qualys Inc
The bulletins will be released during Microsoft Patch Tuesday on April 12. The number of bulletins ties a December 2010 record for security updates issued.
“This is a huge update and system administrators should plan for deployment as all Windows systems, including Server 2008 and Windows 7, which are affected by critical bulletins,” Amol Sarwate, manager of the Qualys Inc. vulnerability research lab, wrote on the company blog. “Frequently used office applications like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also affected.”
In its Advance Notification, Microsoft said it would address a MHTML protocol handler vulnerability in Windows, a flaw that it acknowledged in January. Proof-of-concept code surfaced, enabling attackers to target the vulnerability. The software giant issued a temporary workaround while engineers worked on a patch for the issue, which locks down the MHTML protocol.
In a message on the Microsoft Security Response Center blog, Pete Voss, senior response communications manager with Microsoft Trustworthy Computing, said engineers have been testing a patch to address the issue and have been keeping customers informed.
“We alerted people to this issue with Security Advisory 2501696 (including a Fix-It that fully protected customers once downloaded) back in late January,” Voss wrote. “In March, we updated the advisory to let people know we were aware of limited, targeted attacks.”
In addition, Microsoft indicated it would address a flaw in the Windows Server Message Block (SMB) network and file-sharing protocol that was publicly disclosed Feb. 15. Researchers said the vulnerability could be exploited by remote attackers or malicious users to cause a denial-of-service (DoS) attack or take control of a vulnerable system.
“Microsoft assessed the situation and reported that although the vulnerability could theoretically allow remote code execution, that was extremely unlikely,” Voss wrote. “To this day, we have seen no evidence of attacks.”
The Microsoft bulletins will be issued at 1 p.m., April 12.