Microsoft to Patch 40 Vulnerabilities in Windows, Office, IE, SharePoint and Exchange in December

Microsoft plans to release patches for a massive 40 vulnerabilities impacting a range of its products in the week of December 20th, 2010.

It’s the Redmond company’s last Patch Tuesday and the software giant is closing the year with a veritable ‘bang’ of security bulletins.

Users needing to plug all 40 security holes will have to download and deploy no less than 17 security bulletins from the software giant next week.

However, there is some good news. Apart from just two patch packages resolving high-risk vulnerabilities for customers and the updates for security flaws that are already exploited in the wild, the vast majority of this month’s issues do not allow for remote code execution.

“For December we're releasing 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate.

“As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible,” explained Mike Reavey, Director, MSRC.

Of course, Microsoft’s advice is always to make sure and deploy the updates as soon as they are released.

Each month, the company also provides deployment guidance, highlighting the patches that need to be prioritized.

December will also mark the availability of security fixes for vulnerabilities already exploited in the wild.

“First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware,” Reavey said.

“We're also addressing the Internet Explorer vulnerability described in Security Advisory 2458511. Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low.

“Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP),” he added.