Microsoft on Thursday issued an advance notice for its December security bulletins, which will be released on December 14 and will include 17 updates designed to address 40 vulnerabilities in Windows, Office, Internet Explorer, SharePoint, and Exchange.
Microsoft issues these advance notifications every month before the updates themselves are released, so that users can prepare for testing and deployment of the patches. December's release sets a record number of patches from Microsoft this year, beating the number of patches released by the software giant in October by one.
Of December's 17 updates, two are rated critical, which Microsoft defines as a vulnerability whose exploitation could allow the propagation of an Internet worm without user action, while 14 are considered important and one is moderate.
December's updates will include addressing two issues related to the Stuxnet malware, says Mike Reavey, Director of Microsoft's Security Response Center, in a Thursday blog post. "This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware," he writes.
The updates will also address an IE vulnerability that could allow for remote code execution, which Microsoft began following in early November. The number of attempts to exploit this vulnerability has been low, Reavey says.
Microsoft will hold a Webcast on Wednesday, December 15, to go over this month's security updates. Registration for the Webcast is here.
In his blog post, Reavey also reviews the security updates that Microsoft has released during 2010. In total, Microsoft's bullet count for the year is 106, beating the amount released in past years, he writes. This is due in part to the fact that more vulnerabilities are being reported.
"This isn't really surprising when you think about product life cycles and the nature of vulnerability research," he says. While Microsoft supports products for up to ten years, vulnerability research is constantly being updated and improved, hence the trend toward more reports.
"Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known," he says.