Microsoft on Tuesday released its November 2008 security bulletin, including one patch rated "critical."
The critical bulletin affects Microsoft XML Core Services and Internet Explorer, while the "important" bulletin affects Microsoft Server Message Block (SMB) Protocol. Both affect all versions of Windows. Starting last month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a chance to update affected products before the public announcement. Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in SMB Could Allow Remote Code Execution (957097)", this bulletin is important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and moderate for all supported editions of Windows Vista and Windows Server 2008. This bulletin addresses the vulnerability detailed in CVE-2008-4037. Microsoft says an attacker "who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)", this bulletin is rated critical for Microsoft XML Core Services 3.0 and important for Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0, and Microsoft XML Core Services 6.0. This bulletin replaces MS07-042 and addresses the three vulnerabilities detailed in CVE-2007-0099, CVE-2008-4029, and CVE-2008-4033. Microsoft says that "the most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer."