* Microsoft addresses record 49 flaws in its software
* Affects Windows, Internet Explorer, Office
* Fixes vulnerability exploited by Stuxnet virus
(Adds details on Stuxnet virus, comments from researcher)
By Jim Finkle
BOSTON, Oct 12 Microsoft Corp (MSFT.O) issued
its biggest-ever security fix on Tuesday, including repairs to
its ubiquitous Windows operating system and Internet browser
for flaws that could let hackers take control of a PC.
The new patches aim to fix a number of vulnerabilities
including the notorious Stuxnet virus that attacked an Iranian
nuclear power plant and other industrial control systems around
Microsoft said four of the new patches -- software updates
that write over glitches -- were of the highest priority and
should be deployed immediately to protect users from potential
criminal attacks on the Windows operating systems.
Microsoft said it also repaired other less serious security
weaknesses in Windows, along with security problems in its
widely used Office software for PCs and Microsoft Server
software for business computers.
Microsoft released 16 security patches to address 49
problems in its products, many of which were discovered by
outside researchers who seek out such vulnerabilities to win
cash bounties as well as notoriety for their technical
"This is a huge jump," said Amol Sarwate, a research
manager with computer security provider Qualys Inc. "I think
the reason for it is that more and more people are out there
looking for vulnerabilities."
The geeks who report such vulnerabilities to software
makers are known as "white hat" hackers. Sarwate warned that
there are also plenty of "black hats," or criminal hackers who
look for vulnerabilities in software that they can exploit to
launch attacks on computer systems.
Indeed, the world's biggest software maker said that the
patches released on Tuesday include software to fix a
vulnerability exploited by the Stuxnet virus -- a malicious
program that attacks PCs used to run power plants and other
infrastructure running Siemens (SIEGn.DE) industrial control
The virus, which infected computers at Iran's Bushehr
nuclear power plant, was discovered over the summer. Security
research Symantec said that it detected the highest
concentration of the virus on computer systems in Iran, though
it was also spotted in Indonesia, India, the United States,
Australia, Britain, Malaysia and Pakistan.
So far Microsoft has patched three of the four
vulnerabilities exploited by Stuxnet's unknown creators.
The total of 49 vulnerabilities exceeds the previous record
of 34, which was set in October 2009 and matched in June and
August of this year.
The constant patching of PCs is a time-consuming process
for corporate users, who need to test the fixes before they
deploy them to make sure they do not cause machines to crash
because of compatibility problems with existing software.
(Reporting by Jim Finkle. Editing by Robert MacMillan, Gary