Microsoft fixes four flaws with two patches

Microsoft on Tuesday released its November 2008 security bulletin, including one patch rated "critical."

The critical bulletin affects Microsoft XML Core Services and Internet Explorer, while the "important" bulletin affects Microsoft Server Message Block (SMB) Protocol. Both affect all versions of Windows. Starting last month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a chance to update affected products before the public announcement. Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-068: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in SMB Could Allow Remote Code Execution (957097)", this bulletin is important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and moderate for all supported editions of Windows Vista and Windows Server 2008. This bulletin addresses the vulnerability detailed in CVE-2008-4037. Microsoft says an attacker "who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-069: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)", this bulletin is rated critical for Microsoft XML Core Services 3.0 and important for Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0, and Microsoft XML Core Services 6.0. This bulletin replaces MS07-042 and addresses the three vulnerabilities detailed in CVE-2007-0099, CVE-2008-4029, and CVE-2008-4033. Microsoft says that "the most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer."

[joetesta70]

Thanks for keeping on top of things Microsoft!

[The_Decider]

4 down, a few thousand to go.

Yup, they are on top of things.

Of course this assumes that this patch isn't exploitable.

[gabeheim]

According to what I read at http://www.pcworld.com/businesscenter/article/153719/microsoft_security_patch_was_seven_years_in_the_making.html, it seems they are really on top of things. Known vulnerabilities will not go unpatched any longer than seven years.

[Penguinisto]

So joe... how many did they not patch? ;)

(and When, oh When will Microsoft finally detatch IE from the damned OS core!? Cripes - they could fix most of their security woes right there...)

[mbenedict]

What are you talking about? The critical vulnerability is in XML Core Services (MSXML), not in IE. Perhaps you understand the difference? And IE's internals are no more part of the "OS core" than WebKit is part of OS X.

In fact OS X has a similar service called NSXML, which has many security vulnerabilities as well. Here's a recent one:

http://www.juniper.net/security/auto/vulnerabilities/vuln28367.html

"Severity: HIGH Description: Apple Mac OS X Foundation framework is prone to a race-condition security vulnerability. This issue affects the error-handling logic of the 'NSXML' API."

[Penguinisto]

You do know that XML Core Engine (formerly MSXML) was a part of IE, and has been interdependent with IE ever since IE 4, right?

ref: http://en.wikipedia.org/wiki/MSXML

NSXML is a different creature altogether, and is not (nor has ever been) a part of Safari.

BTW: since when does one suddenly count as "many"? It's like saying that one drop of water makes up "many" parts of a swimming pool.

[Vegaman_Dan]

Now THAT is more like it! That's the troll of FUD and misinformation that you're known for, Penguinisto! Instant knee-jerk reaction on your part with no actual useful content, but plenty of hatred and bigotry.

And here I was worried you were losing your touch.

Welcome back, Penguinisto! Your trolling has been missed.

[mbenedict]

@Penguinisto:

Uh, no, learn to read please. Since v4, MSXML is *INDEPENDENT* of IE, exactly opposite of *INTERDEPENDENT* as you claim.

From the Wikipedia link you cite:

"MSXML 4.0 MSXML4 was shipped as an INDEPENDENT, downloadable SDK targeted at Independent Software Vendors and third parties."

[jemiller0]

I would like to see them get rid of the COM based XML component. It's had lots of security holes in it. Back at PDC 2003 Microsoft was saying that Vista's UI was going to be 95+% implemented in .NET. They back pedalled on that. I would like to see them start switching over to using .NET for more things. You can't buffer overflow .NET code (or at least not as easily) like you can native code like COM.

[mbenedict]

Agreed, the movement to managed APIs is generally a good thing from a security perspective. But in reality native APIs will not go away soon (and might always be needed for certain things) so both sets of APIs will need to co-exist.

But at least Microsoft made the strategic move years ago towards a managed world, at least for applications. Other platforms are stuck with native "C-based" APIs and will increasingly suffer going forward.

[ronorato]

Did this update crash anyone's computer? Mine would not reboot on the restart. Fortunately, all was backed up. I am curious if anyone else had the problem or knew what caused it.