Microsoft doles out two patches for four flaws

Share this article:
Microsoft on Tuesday delivered fixes for four vulnerabilities, three labeled critical, as part of its monthly security update.

The critical patch corrects three XML Core Services' flaws, which attackers could exploit to execute remote code by tricking a user into visiting a specially crafted web page or clicking on a malicious link.

Proof-of-concept code had been written to take advantage of one of the vulnerabilities, which has been known since January 2007, Symantec Security Response Vice President Alfred Huger said in a statement. He was not aware of any publicly available attack code.

"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.

Amol Sarwate, manager of vulnerability labs at Qualys, told SCMagazineUS.com that these critical vulnerabilities should be taken seriously because most Windows machines have XML Core Services installed.

"That library is used by Microsoft Office, by SharePoint, by Internet Explorer and almost all of the programs used by Microsoft to process XML documents," he said.

The update also addresses an "important" bug in the Server Message Block (SMB) protocol, which provides shared access to files. The hole, originally reported some seven years ago, could be taken advantage of to install malicious programs; view, change or delete data or create user accounts with privileged access, according to Microsoft's November bulletin summary.

Public exploit code has been circulating for that vulnerability, the summary said.

But Sarwate said the flaw did not garner critical status because attack scenarios are complicated.

"For the SMB to be exploited, the attacker has to host a machine that responds to SMB requests in a certain way and the attacker has to entice the user to click on his or her email that accesses those SMB [file] shares," he said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Google to encrypt data by default on Android L devices

The mobile operating system, Android L, is expected to be released later this year.

EFF Tor Challenge yields more than 1600 relays

The privacy group said the response to the Challenge exceeded its projections threefold.

Home Depot ignored security employees' vulnerability warnings

The New York Times reported that the retailer's security team warned of possible system vulnerabilities but managers never followed through.