In one of its biggest releases in recent months, Microsoft Corp. today issued 10 security bulletins detailing fixes for more than two dozen separate vulnerabilities -- several of which are already being actively exploited in the wild.
But the updates were not immediately available via Microsoft Update, Automatic Update or Windows Update Services because of what the company described as "technical difficulties."
"Technical teams are engaged and have been working around the clock" to make the updates available by the end of day today, the company said in a statement. "To be clear, it's a delay due to the networking for these systems," said a post on Microsoft's security response center blog said this afternoon. "There are no issues with the security updates themselves." The delay does not affect customers using Microsoft's Software Update Services, Windows Update V4 or Office Update.
Those who want to download the patches immediately can do so manually by visiting Microsoft's technet site, the blog post said.
Six of the bulletins announced today are rated as critical by Microsoft and detail fixes for a total of 16 separate flaws. The rest of the bulletins addressed vulnerabilities that were either rated as important or moderate by Microsoft.
The bulletins covered a total of 26 separate flaws and are part of Microsoft's regularly scheduled monthly security updates for October. The list of products affected includes PowerPoint, Excel and Word.
"What's interesting to note here is that six of the flaws [covered by today's bulletins] are being exploited in the wild or have proof-of-concept code available," said Tom Cross, a vulnerability researcher with Atlanta-based Internet Security Systems Inc.'s X-Force threat analysis service.
Examples of active attacks against flaws fixed today include zero-day exploits against Excel and Word, Symantec Corp. said in an advisory released this afternoon. Similar attacks or proof-of-concept attacks are also available against some of the flaws addressed in security bulletins MS06-057, MS06-058 and MS06-63, Cross said.
"Today we are seeing a record high number of vulnerabilities being patched in a single month," said Monty Izerman, a senior manager of the global threat group at McAfee Avert Labs in an e-mailed comment. Sixteen of the flaws patched today were discovered in application software products and continue a trend toward "application-based malware and application-targeted vulnerabilities," he said.
Of the fixes released today, the one described in MS06-057 is perhaps the most critical, McAfee noted. The critical flaw, which exists in Windows Shell, can be used to take complete control of compromised systems and has already been widely exploited in so-called "drive-by install" and "drive-by download" attacks via Internet Explorer, McAfee cautioned.