Microsoft released eight
bulletins and one security advisory on Tuesday. It scored six of the bulletins critical and two important.
December's list of 28 vulnerabilities is the largest Microsoft has addressed since it first designated the second Tuesday of each month Patch Tuesday in late 2003. All the critical issues are client-side remote-code execution vulnerabilities, meaning any attacks would require user interaction -- as little as viewing a compromised Web page.
Besides the bulletins, Microsoft's security advisory notes it is investigating reports of a vulnerability in WordPad Text Converter for Microsoft Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server.
A Patch Bonanza
"The sheer number of vulnerabilities being patched is what grabs my attention. They all have the potential to be dangerous if not patched," said Ben Greenbaum, senior research manager for Symantec Security Response.
"While Web-based attacks seem to be the main choice for opportunistic attackers, targeted attacks are often carried out via malicious Word and Excel files attached to e-mail messages. While both of these vectors have vulnerabilities patched by today's release, the number of vulnerabilities in Word and Excel provides attackers additional means to carry out these kinds of attacks."
According to Greenbaum, the ActiveX, GDI, Windows search, and Internet Explorer vulnerabilities will be targeted on sites that users trust -- including social-networking sites, forums and media-sharing sites. Attackers try to get users to click on links that take them to corrupted or inserted content that includes the attack.
An Underrated Bulletin
"This month's updates have a single message: Client-side attacks. Vulnerabilities affecting Office, search, and ActiveX Controls all scream phishing attempts and mining, especially the sheer number of vulnerabilities affecting Office this month," said Tyler Reguly, a security research engineer at nCircle.
MS08-077 affecting SharePoint is the most important and most interesting, Reguly added, due to its wide deployment. Microsoft is calling this an elevation of privilege and scores it as important, but Reguly thinks it's scored too low.
"The vulnerability allows an unauthenticated attacker to access administrative controls. While the successful attacker would technically elevate privilege (anonymous to the administrator), this vulnerability allows access controls to be bypassed altogether," Reguly said. "For the most people, privilege escalation means elevating regular users' access to administrator, which may cause administrators to patch this issue with less urgency."
Thanks to Security Community
As Reguly sees it, December is a good time to acknowledge the importance of security research. Most of the problems patched this month were discovered by outside researchers.
"This practice of responsible disclosure helps to increase the level and quality of security experienced by end users," he said. "These vulnerabilities could be used for personal profit by security researchers, yet they aren't."