Microsoft this month announced the largest Patch Tuesday ever. A total of 17 advisories, addressing 40 distinct vulnerabilities covering all versions of the Windows OS, plus Internet Explorer, MS Office, SharePoint and Microsoft Exchange. Out of the 17 advisories only 2 are rated critical, the first one providing an update for Internet Explorer, v6, v7 and v8. This update also provides a fix for the open 0-day vulnerability KB2458511, which has seen some exploits in the wild. Our recommendation will be to apply the patch as soon as possible. The second advisory is critical only for Vista, Windows 7 and Windows 2008, users of XP and 2003 are only looking at a rating of "Important".
There are 2 advisories for Microsoft Office file format vulnerabilities that should be looked at closely and potentially prioritized by IT administrators.
This month also closes the last open 0-day vulnerability from the Stuxnet worm. Microsoft is providing an update rated "Important" because it addresses a privilege escalation bug, i.e. requires the attacker to be already on the machine to be exploited.
The high number of advisories will present a challenge to all Windows system administrators, especially with the holidays shortening the available working hours.
Also today, VUPEN has documented a new vulnerability in IE6, 7 and 8 that so far has not been acknowledged by Microsoft.