Microsoft will patch a large number of Windows kernel-mode device driver vulnerabilities later today, the researcher who reported them said.
Today's security updates will also close a bug in Internet Explorer (IE) that hackers have started exploiting, Microsoft confirmed Monday.
[ Get all the details you need on deploying and using Windows 7 in the InfoWorld editors' 21-page Windows 7 Deep Dive PDF special report. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]
At around 1 p.m. ET, Microsoft will issue 17 security bulletins that fix a record 64 vulnerabilities in Windows, IE, Office, and Visual Studio.
"Yes, there will be a lot of kernel bugs addressed in the security bulletins next week," said Tarjei Mandt, a researcher who works for Norman ASA, a Norwegian antivirus firm. Mandt reported the vulnerabilities to Microsoft over the last six months.
One security expert who requested anonymity said that as many as half of the 64 vulnerabilities Microsoft plans to patch are kernel related.
But contrary to speculation last week by Computerworld that Mandt discovered the flaws while researching "kernel pool" exploits, the bugs Microsoft will patch today are more mundane.
At the Black Hat security conference last January, Mandt led a presentation and published a paper (download PDF) on kernel pool exploitation techniques in Windows 7. Kernel pools are memory blocks devoted to the operating system's kernel.
"They are not related to the research I did on the Windows kernel pool," said Mandt in an email reply to questions. "It's rather a class of bugs that is being fixed, present in the kernel component of the Windows user interface (win32k.sys), which dates back as far as Windows NT 4.0."
Microsoft has patched "win32k.sys," Windows' kernel-mode device driver, several times in the last year. Last February, Mandt was credited with reporting five flaws in win32k.sys that Microsoft patched in the MS11-012 update. Microsoft also addressed vulnerabilities in the kernel-mode driver in June, August, October and December 2010, fixing a total of 16 bugs. Five of those were reported by Mandt.
All the win32k.sys vulnerabilities were rated as "important," the second-highest threat ranking in Microsoft's four-step scoring system, and were classified as "elevation of privilege," or EoP bugs.
EoP vulnerabilities let attackers obtain higher administrative rights, and thus access to more resources than the compromised computer's user would normally have.