Microsoft doles out two patches for four flaws

Share this article:
Microsoft on Tuesday delivered fixes for four vulnerabilities, three labeled critical, as part of its monthly security update.

The critical patch corrects three XML Core Services' flaws, which attackers could exploit to execute remote code by tricking a user into visiting a specially crafted web page or clicking on a malicious link.

Proof-of-concept code had been written to take advantage of one of the vulnerabilities, which has been known since January 2007, Symantec Security Response Vice President Alfred Huger said in a statement. He was not aware of any publicly available attack code.

"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.

Amol Sarwate, manager of vulnerability labs at Qualys, told SCMagazineUS.com that these critical vulnerabilities should be taken seriously because most Windows machines have XML Core Services installed.

"That library is used by Microsoft Office, by SharePoint, by Internet Explorer and almost all of the programs used by Microsoft to process XML documents," he said.

The update also addresses an "important" bug in the Server Message Block (SMB) protocol, which provides shared access to files. The hole, originally reported some seven years ago, could be taken advantage of to install malicious programs; view, change or delete data or create user accounts with privileged access, according to Microsoft's November bulletin summary.

Public exploit code has been circulating for that vulnerability, the summary said.

But Sarwate said the flaw did not garner critical status because attack scenarios are complicated.

"For the SMB to be exploited, the attacker has to host a machine that responds to SMB requests in a certain way and the attacker has to entice the user to click on his or her email that accesses those SMB [file] shares," he said.
Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.