Microsoft on Tuesday issued its November patch update, which fixes a total of 15 vulnerabilities in Windows, Windows Server, and Office, including one that has already been made public.
The MS09-065 bulletin is the most urgent of the six bulletins in this month's update and addresses three vulnerabilities pertaining to the Windows kernel. Of these three, a vulnerability that affects the way the Windows kernel parses Embedded OpenType fonts is the most critical because the party that reported it to Microsoft also disclosed it to the public.
Attackers could use this remote code execution vulnerability to set up a rigged Web site with embedded fonts that could enable them to take control of visitors' PCs, says Jason Miller, Data and Security Team Leader at Shavlik Technologies, a St. Paul, Minn.-based security vendor.
"The Internet is the number one attack vector," said Miller. "With this one, all an attacker has to do is lure someone to a Web site, and because it's public, there's a race going on right now to exploit it."
The MS09-063 bulletin deals with a vulnerability that only affects Windows Vista and Windows Server 2008. It affects the Web Services on Devices API (WSDAPI) service, which is designed to help improve the user experience by allowing users to easily find devices on the network. Ironically, this convenience means that the service can be exploited by attackers through the use of specially crafted packets, according to Miller.
"Windows relies on services running in the background to carry out commands for you. The problem is, with every new feature in Windows there is a new line of code," and the attack target grows larger, Miller said.
Windows 2000 isn't in widespread use but is still kicking around the corners of some companies' server rooms. Two November Microsoft bulletins, MS09-066 and MS09-064, target vulnerabilities in Windows 2000 that could create problems for these firms.
One of these is a remote code execution flaw in License Logging Server, a service that's on by default in Windows 2000. This one would have been a big deal six years ago, when Windows 2000 was more prevalent. Still, companies that are still running older applications such as point of sale systems on Windows 2000 should apply this patch, Miller said.
The other Windows 2000-specific vulnerability affects Active Directory and could lead to denial of service attacks, although this one is difficult to exploit, Miller said.
Rounding out this month's Patch Tuesday release, which follows October's record 13 bulletins, are fixes for several vulnerabilities in Microsoft Word and Excel and hold the potential for remote code execution, according to Microsoft.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
