Microsoft is giving its customers a reassuring present for the holidays: a substantial security update that addresses 40 vulnerabilities across 17 bulletins in Microsoft Windows, Office, and Internet Explorer, along with server-based systems like SharePoint Server and Exchange. Among the fixes are five critical and two moderate patches for all versions of Internet Explorer, including a fix for a bug that could enable attackers to execute arbitrary code using invalid flag references in Cascading Style Sheets (CSS) used to specify how Web pages should be displayed.
The update also fixes a critical problem with Windows’ OpenType Font driver and patches the last known vulnerability being exploited by the infamous Stuxnet malware.
Microsoft first warned users about the CSS vulnerability in Internet Explorer in early November; although the problem applies to Internet Explorer 6, 7, and 8, Microsoft says IE6 and IE7 users saw the most impact. Other security fixes in Internet Explorer fix holes taht could enable attackers to take over a computer when a user simply loads a malicious Web site. Although the CSS vulnerability has been used in the wild, Microsoft says it’s not aware of any real world attacks that exploited the other vulnerabilities. Similarly, Microsoft does not know of any cases where the OpenType vulnerability was exploited.
The sizable security updates follows a comparatively sedate November, which consisted of only three patches. Security experts are concerned that with both consumers and businesses distracted by the end-of-year holidays, they may defer installing Microsoft’s latest round of patches—which not only fixes more problems, but addresses at least one major vulnerability that is out there in the wild.