Microsoft doles out two patches for four flaws

Share this article:
Microsoft on Tuesday delivered fixes for four vulnerabilities, three labeled critical, as part of its monthly security update.

The critical patch corrects three XML Core Services' flaws, which attackers could exploit to execute remote code by tricking a user into visiting a specially crafted web page or clicking on a malicious link.

Proof-of-concept code had been written to take advantage of one of the vulnerabilities, which has been known since January 2007, Symantec Security Response Vice President Alfred Huger said in a statement. He was not aware of any publicly available attack code.

"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.

Amol Sarwate, manager of vulnerability labs at Qualys, told SCMagazineUS.com that these critical vulnerabilities should be taken seriously because most Windows machines have XML Core Services installed.

"That library is used by Microsoft Office, by SharePoint, by Internet Explorer and almost all of the programs used by Microsoft to process XML documents," he said.

The update also addresses an "important" bug in the Server Message Block (SMB) protocol, which provides shared access to files. The hole, originally reported some seven years ago, could be taken advantage of to install malicious programs; view, change or delete data or create user accounts with privileged access, according to Microsoft's November bulletin summary.

Public exploit code has been circulating for that vulnerability, the summary said.

But Sarwate said the flaw did not garner critical status because attack scenarios are complicated.

"For the SMB to be exploited, the attacker has to host a machine that responds to SMB requests in a certain way and the attacker has to entice the user to click on his or her email that accesses those SMB [file] shares," he said.
Share this article:

Sign up to our newsletters

More in News

CyberMaryland conference returns, hosts job fair for military vets

The conference will be anchored by the Maryland Cyber Challenge and Competition, a security job fair, and more.

Andromeda bot spreads Tor-using CTB-Locker ransomware

Andromeda bot spreads Tor-using CTB-Locker ransomware

Kaspersky Lab has observed Andromeda bot being used to deliver CTB-Locker, a new ransomware that hides its command-and-control server on the Tor network.

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.