Hackers are likely to use social engineering tricks to lure users to infected Web ites and media files, they warned. The vulnerabilities are among 10 security updates that patch a record-tying 34 vulnerabilities in Windows, Internet Explorer, Office, and SharePoint.
[ Also on InfoWorld: Online scammers are targeting World Cup enthusiasts with malware | The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in our Web Browser Security Deep Dive PDF guide. ]
One bug in particular -- a Windows kernel TrueType font parsing vulnerability -- was rated as the most serious Patch Tuesday fix by Joshua Talbot, security intelligence manager for Symantec.
"Exploiting this -- likely through a drive-by download attack -- would give an attacker near system-level privileges. It's doubtful that attackers would compromise a legitimate site to exploit this vulnerability, so users should be extra cautious of social engineering tricks coaxing them to visit unfamiliar Web pages, which could contain a malicious font."
The TrueType vulnerability was contained in Security Bulletin MS10-032, one of the ten issued by Microsoft Tuesday.
However, Microsoft rated three other bulletins as being even more important than this one, with two of them involving potential drive-by downloads, which occur when users authorize a download without understanding the consequences, or that simply occur without the user's knowledge.
MS10-033, a critical bulletin, "is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file," Microsoft said.
With this vulnerability, hackers may use media files to lure users into downloading malicious code.
"This could result in a drive-by download where the user visits a specially crafted Website, and in this case it would be like a media file that could start streaming or the user could open a specially crafted media file that got sent to them via e-mail or some method like that," Microsoft security official Jerry Bryant said in a video accompanying the announcement.
These bugs are on par with some of the most critical ones observed on Patch Tuesday, says Andrew Storms, director of security operations at the security vendor nCircle.
Rather than making businesses vulnerable on the server side, this month's most serious bugs mainly target end-users, he said."What looks to be a normal movie file that you click on and watch could have embedded malware inside and take control of your system," Storms said.
Similarly, the new bulletin MS10-035 involves flaws in Internet Explorer which could also result in drive-by downloads.