Microsoft Releases Light, But Serious, Security Bundle
Although this month's two-patch security bundle is small, the patches repaired critical vulnerabilities in Microsoft's XML Core Services and Server Message Block Protocol, which affect several versions of Windows, including Windows 2000, XP and Vista as well as Server 2003, Server 2008 and numerous Office applications.
Adding to the severity of the flaw in XML Core Services is the fact that XML is so ubiquitous in the enterprise work environment. And experts say that exploit code for the flaw is already loose in the wild.
"With XML Core Services, it's used just so widely across the enterprise today. It literally provides the linkage between Javascript and Visual Studio applications," said Paul Henry, security and forensic analyst at Lumension Security.
Experts say that, if exploited, the glitch could enable remote attackers to execute arbitrary code on a user's computer by enticing the user to view a malicious Web page via Internet Explorer—usually through a phishing message or some kind of social engineering.
"Quite simply, it would provide a bad guy with access to your intellectual property and process within your organization. The integrity of (the data) would be questionable if you have not patched," said Henry.
The second patch, given the less severe rating of "important," fixed a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. A successful exploit would enable remote attackers to launch malicious code on a user's PC, subsequently allowing them to install programs, alter data or create new accounts with full access privileges.
Despite its "important" designation, the SMB Protocol error contained vulnerabilities that allowed remote code execution—a glitch that typically is given a "critical" rating. Microsoft also ranked the error with a "1" on its exploitability index, indicating that exploit code is either active in the wild or anticipated within 30 days, experts say.
"I believe myself that it is something that requires an urgent response," said Henry. "We like to view any vulnerability that can provide remote code execution as being critical in nature. Anything that can impact integrity, any remote code execution, is critical."
Microsoft's light patch load follows last month's mammoth 11-patch security bulletin. It also comes just three weeks after Microsoft released an almost unprecedented out-of-band patch addressing a malicious Internet worm that could allow attackers to infiltrate systems remotely and take control over users' computers without any user interaction.
The emergency patch was one of a handful of out-of-band patches released in the past three years and the only one released in about a year and a half, experts say. Since then, security experts found evidence of in-the-wild attacks that exploited the vulnerability on unpatched systems.
Security experts recommend that users patch their systems with November's security updates as soon as possible.
"The bad guys have really done their homework," said Henry. "It speaks volumes to the need not only to patch quickly, but patch widely."