Microsoft and third-party security experts warned that users could be subjected to drive-by downloads because of flaws in Windows and Internet Explorer that received fixes on Patch on Tuesday this week US time.
Hackers are likely to use social engineering tricks to lure users to infected websites and media files, they warned. The vulnerabilities are among 10 security updates that patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office and SharePoint.
One bug in particular — a Windows kernel TrueType font parsing vulnerability — was rated as the most serious Patch Tuesday fix by Joshua Talbot, security intelligence manager for Symantec.
"Exploiting this, likely through a drive-by download attack, would give an attacker near system-level privileges. It's doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social engineering tricks coaxing them to visit unfamiliar web pages, which could contain a malicious font," Talbot says.
The TrueType vulnerability was contained in Security Bulletin MS10-032, one of the ten issued by Microsoft Tuesday.
However, Microsoft rated three other bulletins as being even more important than this one, with two of them involving potential drive-by downloads, which occur when users authorise a download without understanding the consequences, or that simply occur without the user's knowledge.
MS10-033, a critical bulletin, "is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file," Microsoft said.
With this vulnerability, hackers may use media files to lure users into downloading malicious code.
"This could result in a drive-by download where the user visits a specially crafted website, and in this case it would be like a media file that could start streaming or the user could open a specially crafted media file that got sent to them via email or some method like that," Microsoft security official Jerry Bryant said in a video accompanying the announcement.
These bugs are on par with some of the most critical ones observed on Patch Tuesday, says Andrew Storms, director of security operations at the security vendor nCircle.
Rather than making businesses vulnerable on the server side, this month's most serious bugs mainly target end users, he said.
"What looks to be a normal movie file that you click on and watch could have embedded malware inside and take control of your system," Storms said.
Similarly, the new bulletin MS10-035 involves flaws in Internet Explorer which could also result in drive-by downloads.
A third critical bulletin, MS10-034, involves ActiveX Kill Bits and affects Windows 2000, XP, Vista and Windows 7.
Kill Bits ensure that vulnerable ActiveX controls can no longer be exploited through Internet Explorer.
Typically, Kill Bits are issued for third-party software, rather than for software created by Microsoft, according to Storms. What is unusual about MS10-034 is that two out of the six Kill Bits being issued are for Microsoft ActiveX controls.
"What that means is Microsoft has found one of their ActiveX controls to be vulnerable as well," Storms said. "Today they found two. That's unusual. We haven't seen that from Microsoft since last summer."
Overall, this was a record-setting month for Patch Tuesday.
"This is the largest Microsoft patch release of 2010 and ties the record for the most vulnerabilities ever addressed in a single month; a record set in October of last year," Talbot of Symantec said. "This month's release also features the largest ever single bulletin, with 14 vulnerabilities in Excel being addressed together."