Microsoft doles out two patches for four flaws

Microsoft on Tuesday delivered fixes for four vulnerabilities, three labelled critical, as part of its monthly security update.

The critical patch corrects three XML Core Services' flaws, which attackers could exploit to execute remote code by tricking a user into visiting a specially crafted web page or clicking on a malicious link.

Proof-of-concept code had been written to take advantage of one of the vulnerabilities, which has been known since January 2007, Symantec Security Response Vice President Alfred Huger said in a statement. He was not aware of any publicly available attack code.

"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.

Amol Sarwate, manager of vulnerability labs at Qualys, told SCMagazineUS.com that these critical vulnerabilities should be taken seriously because most Windows machines have XML Core Services installed.

"That library is used by Microsoft Office, by SharePoint, by Internet Explorer and almost all of the programs used by Microsoft to process XML documents," he said.

The update also addresses an "important" bug in the Server Message Block (SMB) protocol, which provides shared access to files. The hole could be taken advantage of to install malicious programs; view, change or delete data or create user accounts with privileged access, according to Microsoft's November bulletin summary.

Public exploit code has been circulating for that vulnerability, the summary said.

But Sarwate said the flaw did not garner critical status because attack scenarios are complicated.

"For the SMB to be exploited, the attacker has to host a machine that responds to SMB requests in a certain way and the attacker has to entice the user to click on his or her email that accesses those SMB [file] shares," he said.

See original article on SC Magazine US