November's Patch Addresses Two Windows App Exploits

Redmond rolled out two patches on Tuesday -- one deemed "critical" and one "important."

Redmond rolled out two fixes in its Tuesday patch -- one deemed "critical" and one "important."

And, as expected, the November release comes with both fixes designed to stave off remote code execution (RCE) vulnerabilities in Windows programs.

The critical item affects Windows and Microsoft Office and deals specifically with Windows XML Core Services versions 3.0, 4.0 and 6.0. Windows XML Core Services helps developers create XML-based applications, such as Web apps that share structured data.

Knowledge about this vulnerability first emerged in January of 2007.

"Proof-of-concept code for this issue that causes the browser to crash was publicly released some time ago," said Alfred Huger, vice president of Symantec Security Response. "To exploit [the vulnerability] an attacker would have to get a user to view a compromised Web page or click on a malicious link."

According to Huger as well as Microsoft, when a user clicks on a corrupted link, XML coding in the page is processed and remote code execution will occur. However, it's somewhat complex to set up the XML code, from a hacker's perspective.

This critical fix is relevant for certain Internet Explorer and Microsoft SharePoint Server users, experts say. Affected operating systems include Windows 2000 Service Pack 4, Windows XP, Vista and Windows Server 2003 and 2008.

The second fix in this patch is deemed important. It resolves a previously disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol, according to the software giant. It's similar to a fix released 11 months ago covering Server Message Block Version 2.

If the RCE exploits were to compromise this SMB hole, an attacker could install programs and change privileges. For instance, a hacker could change, edit and delete privileges within the OS layer and configure user rights.

Although Microsoft stamped this second fix as important, don't ignore this patch, said Tyler Reguly, security research engineer at nCircle.

"SMB redirection has more play inside the enterprise, so both of these updates should be given equal consideration in the patching process," he said. "We continue to see an increased risk from insider threats and SMB redirection is the ultimate insider attack in today's enterprise environment where IE is often the corporate standard and can be made to pass credentials when a user simply visits a Web page."

Affected operating systems covered by this important fix include Windows 2000 Service Pack 4, Windows XP, Vista and Windows Server 2003 and 2008. The fix replaces two separate bulletins released in 2006 and 2005, respectively, for Windows 2000 SP4 and XP SP2.

Both updates will require restarts.

Meanwhile for items pertaining to general Windows updates and other nonsecurity content, this knowledgebase has a description of such hook-ups on Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.