Microsoft unleashes its newest patch tomorrow, December 14. The patch includes seventeen security bulletins and updates that will address forty vulnerabilities. Some of those vulnerabilities are already known to be critical; more may be discovered once the patch is live.
To date, two of the vulnerabilities already have been designated as critical. As many as twenty-five could be critical, but the actual numbers and the extent of the vulnerabilities won't be known until the patch is released. The two known critical vulnerabilities affect Internet Explorer and Windows.
Of the seventeen security bulletins, thirteen of them, including the two critical ones, affect Internet Explorer and all versions of Windows. Two of the bulletins affect two important vulnerabilities within Microsoft Office. Another bulletin will repair an important vulnerability in SharePoint Server 2007. The final bulletin, rated moderate, will affect x64-based Exchange Server 2007.
The patch intends to repair some bugs. One will be the last of the Stuxnet zero-day vulnerabilities. Those vulnerabilities appear to be localized privilege elevation attacks. Microsoft states that such attacks have not been seen, as of yet, in the wild outside of Stuxnet.
The patch also includes several non-security updates. One will resolve issues caused by the revised Daylight Saving Time and time zone laws in several countries; the update will enable an automatic adjustment of computer clocks on the correct date in 2011. Microsoft will also include its usual updates to the Malicious Software Removal Tool and Windows Mail Junk Filter.
Sources: Microsoft Support, Microsoft Security Response Center, PCMag
