November's Patch Addresses Two Windows App Exploits

Redmond rolled out two patches on Tuesday -- one deemed "critical" and one "important."

Redmond rolled out two fixes in its Tuesday patch -- one deemed "critical" and one "important."

And, as expected, the November release comes with both fixes designed to stave off remote code execution (RCE) vulnerabilities in Windows programs.

The critical item affects Windows and Microsoft Office and deals specifically with Windows XML Core Services versions 3.0, 4.0 and 6.0. Windows XML Core Services helps developers create XML-based applications, such as Web apps that share structured data.

Knowledge about this vulnerability first emerged in January of 2007.

"Proof-of-concept code for this issue that causes the browser to crash was publicly released some time ago," said Alfred Huger, vice president of Symantec Security Response. "To exploit [the vulnerability] an attacker would have to get a user to view a compromised Web page or click on a malicious link."

According to Huger as well as Microsoft, when a user clicks on a corrupted link, XML coding in the page is processed and remote code execution will occur. However, it's somewhat complex to set up the XML code, from a hacker's perspective.

This critical fix is relevant for certain Internet Explorer and Microsoft SharePoint Server users, experts say. Affected operating systems include Windows 2000 Service Pack 4, Windows XP, Vista and Windows Server 2003 and 2008.

The second fix in this patch is deemed important. It resolves a previously disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol, according to the software giant. It's similar to a fix released 11 months ago covering Server Message Block Version 2.

If the RCE exploits were to compromise this SMB hole, an attacker could install programs and change privileges. For instance, a hacker could change, edit and delete privileges within the OS layer and configure user rights.

Although Microsoft stamped this second fix as important, don't ignore this patch, said Tyler Reguly, security research engineer at nCircle.

"SMB redirection has more play inside the enterprise, so both of these updates should be given equal consideration in the patching process," he said. "We continue to see an increased risk from insider threats and SMB redirection is the ultimate insider attack in today's enterprise environment where IE is often the corporate standard and can be made to pass credentials when a user simply visits a Web page."

Affected operating systems covered by this important fix include Windows 2000 Service Pack 4, Windows XP, Vista and Windows Server 2003 and 2008. The fix replaces two separate bulletins released in 2006 and 2005, respectively, for Windows 2000 SP4 and XP SP2.

Both updates will require restarts.

Meanwhile for items pertaining to general Windows updates and other nonsecurity content, this knowledgebase has a description of such hook-ups on Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Secure Score Hits General Availability

    Microsoft on Monday announced the general availability of the Microsoft Secure Score service within the Microsoft 365 Security Center portal.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Microsoft Teams Roadmap: Support for 1,000 Meeting Attendees, New Hardware

    Microsoft Teams is poised to receive a raft of new features in the coming months, many of them designed to make remote videoconferences feel more "natural."

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.