Only two advisories are marked critical this month. The first critical fix is likely the most important. MS10-090, addresses 5 critical and 2 moderate flaws in Internet Explorer some of which are being actively exploited in the wild.
MS10-090 not only affects Windows 7 and Internet Explorer 8 as noted in the screenshot, it impacts all versions of Internet Explorer that are currently supported. For more information refer to our blog Internet Explorer users warned of new zero-day attacks.
Update: SophosLabs have posted our vulnerability analysis for MS10-090 in the Sophos knowledgebase.The second critical fix, MS10-091, addresses a privately disclosed bug in font handling. This one is strange in that it is a more severe flaw in Windows 7, 2008 and Vista than in XP and 2003.
On the older OSs this flaw allows elevation of privilege which could allow an attacker who gains access to a system with standard user rights to become an administrator. On Windows 7, 2008 and Vista this flaw can be used to remotely execute code as an administrator. Although this is not known to be actively exploited in the wild I would make this a very high priority patch now that it has been publicly acknowledged.
Other items to note this month are that the last of the Stuxnet vulnerabilities have been addressed with MS10-092.
The kernel EoP vulnerability I reported last month doesn’t appear to have been addressed, nor is a new CSS vulnerability in Internet Explorer that was disclosed last week on the Full Disclosure mailing list. As usual I guess we have plenty to look forward to on January 11th, 2011 starting the new year off on the right security footing.
Update: SophosLabs have updated the latest vulnerabilities knowledgebase article with information about all of the patches released today.