Eight patches, 28 vulnerabilities for festive Patch Tuesday

In its largest security update of the year, Microsoft on Tuesday delivered eight patches to correct a monster 28 vulnerabilities.

Six of the bulletins address "critical" bugs, while two others involve vulnerabilities rated "important."

"The sheer number of vulnerabilities being patched is what grabs my attention," said Ben Greenbaum, senior research manager at Symantec Security Response. "They all have the potential to be dangerous if not patched."

Seven of the patches affect client-side applications, including Office, Internet Explorer, ActiveX and Graphics Device Interface (GDI), said Andrew Storms, director of security operations at nCircle.

"Following the vulnerability trend of the past few years, in order to take advantage of these bugs, attackers need to entice the user to take action, such as going to a malicious website or opening a file containing malware," Storms said.

He added that he expects attackers to attempt to exploit the flaws this holiday season through social engineering tricks, such as fake e-cards and websites claiming to offer animation and Christmas songs.

Microsoft also published a new security advisory warning of a vulnerability in the Wordpad Converter for Word 97 files, Christopher Budd, security program manager for Microsoft, wrote Tuesday on the company's security blog. The bug affects Windows 2000 Service Pack (SP) 4, XP SP 2 and Server 2003 SP1 and SP2. Workarounds are available.

"We are aware of very limited and targeted attacks seeking to exploit this vulnerability," he said.

See original article on scmagazineus.com