Microsoft doles out two patches for four flaws

Share this article:
Microsoft on Tuesday delivered fixes for four vulnerabilities, three labeled critical, as part of its monthly security update.

The critical patch corrects three XML Core Services' flaws, which attackers could exploit to execute remote code by tricking a user into visiting a specially crafted web page or clicking on a malicious link.

Proof-of-concept code had been written to take advantage of one of the vulnerabilities, which has been known since January 2007, Symantec Security Response Vice President Alfred Huger said in a statement. He was not aware of any publicly available attack code.

"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.

Amol Sarwate, manager of vulnerability labs at Qualys, told SCMagazineUS.com that these critical vulnerabilities should be taken seriously because most Windows machines have XML Core Services installed.

"That library is used by Microsoft Office, by SharePoint, by Internet Explorer and almost all of the programs used by Microsoft to process XML documents," he said.

The update also addresses an "important" bug in the Server Message Block (SMB) protocol, which provides shared access to files. The hole, originally reported some seven years ago, could be taken advantage of to install malicious programs; view, change or delete data or create user accounts with privileged access, according to Microsoft's November bulletin summary.

Public exploit code has been circulating for that vulnerability, the summary said.

But Sarwate said the flaw did not garner critical status because attack scenarios are complicated.

"For the SMB to be exploited, the attacker has to host a machine that responds to SMB requests in a certain way and the attacker has to entice the user to click on his or her email that accesses those SMB [file] shares," he said.
Share this article:

Sign up to our newsletters

More in News

Apple's iOS 7.1.1 fixes Webkit bugs, encryption bypass issue

Released Tuesday, the update prevents exploit via "triple handshake" attacks, which could allow a bypass of encryption safeguards.

'Unauthorized' media contact a fireable offense for U.S. intel employees

The new media policy states that U.S. intelligence employees who have "unauthorized" contact with the media could lose their jobs.

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.