Microsoft on Tuesday released a substantial set of software patches, addressing 31 vulnerabilities with 10 security bulletins.
That's the largest number of vulnerabilities fixed in a single day since the company began issuing regular patches on the second Tuesday of every month in October 2003.
The company's June Patch Day includes six bulletins designated "critical," three "important," and one "moderate."
Affected software includes: Active Directory on Microsoft Windows 2000 Server and Windows Server 2003; Active Directory Application Mode when installed on Windows XP Professional and Windows Server 2003; Windows Print Spooler; Internet Explorer; Microsoft Office Word; Microsoft Office Excel; Microsoft Works Converters; Windows remote procedure call; Windows kernel; Microsoft Internet Information Services; and Windows Search.
Not included is a patch for a known vulnerability in Microsoft DirectX's DirectShow that can be exploited through a maliciously crafted QuickTime file. In late May, Microsoft issued a security advisory stating that the DirectShow-QuickTime vulnerability could be used "as a browse-and-get-owned attack vector."
However, Microsoft has provided a clickable button on its support site that will disable QuickTime parsing and protect systems vulnerable to this flaw.
A fix for the IIS WebDAV flaw that Microsoft warned about in mid-May is included.
Four of the 10 bulletins in the June patch cycle address publicly disclosed vulnerabilities.
Tas Giakouminakis, CTO of Rapid7, observed in an e-mailed statement that attackers are taking advantage of vulnerabilities faster than ever before. "We've seen the patch window for Microsoft vulnerabilities shrink to the point where vulnerabilities are being exploited on the day the patches are released or even prior to that," he said.
Bulletin MS09-019 includes a fix for the vulnerability exploited by a hacker "Nils" at the 2009 CanSecWest Pwn2Own competition. "Nils" exploited this vulnerability on an earlier IE8 build, so Microsoft doesn't expect to see this vulnerability exploited in the wild against users of Vista or Windows 7.
Andrew Storms, director of security operations for nCircle, said in an e-mailed statement, "Client-side, browser-based vulnerabilities continue to top the charts for threats, so every user should put [MS09-019] at the top of their 'install immediately' list."
InformationWeek has published an in-depth report on Windows 7. Download the report here (registration required).