14 DAY TRIAL // Microsoft plans to release 17 security updates that fix 40 vulnerabilities next Tuesday, including an actively exploited vulnerability in Internet Explorer and a still unpatched privilege escalation flaw leveraged by the notorious Stuxnet worm.
Next week’s Patch Tuesday will be the last of this year and will cover security issues in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange.
The Internet Explorer vulnerability, identified as CVE-2010-3962, can be exploited to execute arbitrary code remotely and was discovered in the wild at the beginning of November.
It has remained unpatched for almost six weeks, despite reports of being exploited in targeted attacks, having proof-of-concept exploit code for it being publicly disclosed and being incorporated in drive-by download toolkits.
“Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low,” said Mike Reavey, director of the Microsoft Security Response Center (MSRC).
“Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP),” he added.
The other zero-day vulnerability, CVE-2010-3888, is located in the Windows Task Scheduler and can be leveraged to escalate the privileges of a limited account.
It is one of the four Windows vulnerabilities exploited by the Stuxnet industrial espionage worm and has been known to Microsoft since at least August.
Microsoft’s Reavey claims the company has not seen this vulnerability being actively exploited by other malware except Stuxnet.
However, security researchers from Kaspersky Lab announced earlier this week that a variant of the highly sophisticated TDL4 rootkit leverages the vulnerability to bypass UAC.
According to Microsoft’s advance notification service, the Security Bulletin addressing CVE-2010-3962 is rated as critical, while the one covering CVE-2010-3888 as important.