Microsoft’s biggest-ever security update

Microsoft released its largest-ever set of security patches Tuesday, fixing a total of 49 bugs in products such as Windows, Internet Explorer and Office.

There are 16 groups of patches (called updates) in total. Microsoft says that two of them — the Internet Explorer fix numbered MS10-071 and a Windows patch numbered MS10-076 — should get top priority. Microsoft thinks attack code is likely to be developed that will target bugs fixed by both of those updates.

NCircle Director of Security Operations Andrew Storms agrees that those two updates should be a top priority as they could be leveraged in a drive-by Internet attack. In this common type of attack, a hacker tricks the victim into visiting a Web page that takes advantage of the bug to install a malicious program on the victim’s machine.

The MS10-71 update fixes 10 Internet Explorer bugs. Two are rated critical, meaning they could be used in a drive-by. The MS10-076 update fixes a single critical flaw in the Windows Embedded OpenType (EOT) Font Engine, used by Internet Explorer. The latest versions of Windows include a security technology called ASLR (address space layout randomization) which makes it harder to exploit that type of bug, Microsoft believes attackers are likely to develop attacks for older versions of the operating system such as Windows XP.

The two other top-rated updates are MS10-077, a fix for a bug in Microsoft’s .Net Framework that affects 64-bit systems, and MS10-075, which fixes a critical flaw in the Microsoft Windows Media Player Network Sharing Service, used by Windows to share music files and other media over the network. This service is turned on by default with Windows 7 Home Edition, but a hacker would have to first be on the local network to launch an attack, Microsoft said.

Just because the other fixes are not rated critical does not mean they can be ignored. Symantec says 35 of the 49 bugs fixed on Tuesday could give hackers a way to run unauthorized software on a victim’s machines, and Microsoft says attacks are likely to be developed that exploit some of the lower-rated issues as well.

In fact, one of Tuesday’s updates — MS10-073; rated important by Microsoft — fixes a Windows XP bug that was leveraged by the creators of the Stuxent worm. Stuxnet is the first publicly known worm built to attack industrial systems and it has made headlines during the past weeks amidst speculation that it was designed to target nuclear systems in Iran.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com