Microsoft Corp has released patches for 22 security vulnerabilities, most of which would allow remote code execution if exploited, its largest Patch Tuesday to date.
Some of the vulnerabilities would appear to be suitable malware vectors. Windows, Internet Explorer, Office, Media Player and Exchange are affected.
There are 12 patches in total, covering 22 vulnerabilities. Eight of the bulletins and 17 of the vulnerabilities are rated critical by Microsoft.
Critical vulnerabilities mean they would be suitable for exploitation by automated malware, such as a worm.
However, most of the five important vulnerabilities would also allow remote code execution, though not necessarily by a worm.
Chris Andrew, senior security researcher at PatchLink Corp, said MS06-023 is probably the bulletin that will attract the most attention from malicious hackers.
That vulnerability is in the Jscript implementation in Windows. Because it’s in code that executes a scripting language, Andrew said, that will make it easier to exploit.
There are also several vulnerabilities in common Microsoft consumer software that could prove useful for malware writers looking for a file-based attack vector.
Word, Windows Media Player and PowerPoint are affected by such vulnerabilities, as are at least two image rendering engines. Look at a picture, get infected.
About 18 separate sets of researchers were involved in finding the vulnerabilities, further evidence, if it were needed, of the growing industry linked to Patch Tuesday.