November's Patch Addresses Exploits in Two Windows Applications

One "critical," one "important" fix

Redmond rolled out two fixes in its Tuesday patch -- one deemed "critical" and one "important."

As expected, the November release comes with both fixes designed to stave off remote code execution (RCE) vulnerabilities in Windows programs.

The critical item affects Windows and Microsoft Office and deals specifically with Windows XML Core Services versions 3.0, 4.0 and 6.0. Windows XML Core Services helps developers create XML-based applications, such as Web apps that share structured data.

Knowledge about this vulnerability first emerged in January 2007.

"Proof-of-concept code for this issue that causes the browser to crash was publicly released some time ago," said Alfred Huger, vice president of Symantec Security Response. "To exploit [the vulnerability] an attacker would have to get a user to view a compromised Web page or click on a malicious link."

According to Huger as well as Microsoft, when a user clicks on a corrupted link, XML coding in the page is processed and remote code execution will occur. However, it's somewhat complex for a hacker to set up the XML code.

This critical fix is relevant for certain Internet Explorer and Microsoft SharePoint Server users, experts say. Affected operating systems include Windows 2000 Service Pack 4, Windows XP, Vista, and Windows Server 2003 and 2008.

The second fix in this patch is categorized as important. It resolves a previously disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol, according to the software giant. It's similar to a fix released 11 months ago covering Server Message Block Version 2.

If the RCE exploits were to compromise this SMB hole, an attacker could install programs and change privileges. For instance, a hacker could change, edit and delete privileges within the OS layer and configure user rights.

Although Microsoft stamped this second fix as important, don't ignore this patch, said Tyler Reguly, security research engineer at nCircle.

"SMB redirection has more play inside the enterprise, so both of these updates should be given equal consideration in the patching process," he said. "We continue to see an increased risk from insider threats and SMB redirection is the ultimate insider attack in today's enterprise environment where IE is often the corporate standard and can be made to pass credentials when a user simply visits a Web page."

Affected operating systems covered by this important fix include Windows 2000 Service Pack 4, Windows XP, Vista, and Windows Server 2003 and 2008. The fix replaces two separate bulletins released in 2006 and 2005, respectively, for Windows 2000 SP4 and XP SP2.

Both updates will require restarts.

Meanwhile, for items pertaining to general Windows updates and other nonsecurity content, this knowledgebase has a description of such hook-ups on Microsoft Update, Windows Update, and Windows Server Update Services.

-- Jabulani Leffall

Must Read Articles