Microsoft Issues Record 31 Patches

Microsoft Corp. last week issued 10 security updates that patched a record 31 vulnerabilities — 18 marked “critical” — in Windows, Internet Explorer, Excel, Word and other applications.

The bugs are the largest number that Microsoft has patched in a single month since the company began its regular update program in 2003. The previous record of patches for 28 flaws was set last December.

“This is a very broad bunch,” said Wolfgang Kandek, chief technology officer at security company Qualys Inc.

“You’ve got work [to do] everywhere; servers and workstations, and even Macs if you have them. It’s not getting any better. The number of vulnerabilities [Microsoft discloses] continues to grow,” he added.

Of the 10 bulletins, six patched some part of the Windows operating system, three patched an application or component in the Office suite, and one fixed several flaws in IE.

Eighteen of the 31 bugs carried Microsoft’s most serious label in its four-step ranking, while 11 were tagged as “important,” the next-lowest level, and two were judged “moderate.”

Andrew Storms, director of security operations at nCircle Network Security Inc., suggested that users first patch the IE bugs.

“IE’s, by far, take the cake,” Storms said. “There are eight [common vulnerabilities and exposures], and there’s no doubt that it will be exploited.”

Eric Schultze, chief technical officer at Shavlik Technologies LLC, added updates to Internet Information Server and Active Directory to the IE patch in his list of recommendations of what to fix first.

The IIS flaw affects some systems that have enabled Web-based Distributed Authoring and Versioning, or WebDAV, a set of HTTP extensions used to share documents over the Web.

A separate update also includes a tool that can detect a rogue antivirus program called Internet Antivirus Pro. The rogue program tries to trick users into installing password-stealing software.