November's Patch Addresses Two Windows App Exploits

Redmond rolled out two patches on Tuesday -- one deemed "critical" and one "important."

Redmond rolled out two fixes in its Tuesday patch -- one deemed "critical" and one "important."

And, as expected, the November release comes with both fixes designed to stave off remote code execution (RCE) vulnerabilities in Windows programs.

The critical item affects Windows and Microsoft Office and deals specifically with Windows XML Core Services versions 3.0, 4.0 and 6.0. Windows XML Core Services helps developers create XML-based applications, such as Web apps that share structured data.

Knowledge about this vulnerability first emerged in January of 2007.

"Proof-of-concept code for this issue that causes the browser to crash was publicly released some time ago," said Alfred Huger, vice president of Symantec Security Response. "To exploit [the vulnerability] an attacker would have to get a user to view a compromised Web page or click on a malicious link."

According to Huger as well as Microsoft, when a user clicks on a corrupted link, XML coding in the page is processed and remote code execution will occur. However, it's somewhat complex to set up the XML code, from a hacker's perspective.

This critical fix is relevant for certain Internet Explorer and Microsoft SharePoint Server users, experts say. Affected operating systems include Windows 2000 Service Pack 4, Windows XP, Vista and Windows Server 2003 and 2008.

The second fix in this patch is deemed important. It resolves a previously disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol, according to the software giant. It's similar to a fix released 11 months ago covering Server Message Block Version 2.

If the RCE exploits were to compromise this SMB hole, an attacker could install programs and change privileges. For instance, a hacker could change, edit and delete privileges within the OS layer and configure user rights.

Although Microsoft stamped this second fix as important, don't ignore this patch, said Tyler Reguly, security research engineer at nCircle.

"SMB redirection has more play inside the enterprise, so both of these updates should be given equal consideration in the patching process," he said. "We continue to see an increased risk from insider threats and SMB redirection is the ultimate insider attack in today's enterprise environment where IE is often the corporate standard and can be made to pass credentials when a user simply visits a Web page."

Affected operating systems covered by this important fix include Windows 2000 Service Pack 4, Windows XP, Vista and Windows Server 2003 and 2008. The fix replaces two separate bulletins released in 2006 and 2005, respectively, for Windows 2000 SP4 and XP SP2.

Both updates will require restarts.

Meanwhile for items pertaining to general Windows updates and other nonsecurity content, this knowledgebase has a description of such hook-ups on Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.