This month’s Patch Tuesday update is, by Microsoft standards, fairly quiet. There is only one fix rated critical and one rated important, though the firm does warn both the associated vulnerabilities are at particular risk of exploitation.

The critical issue involves Microsoft’s XML Core Services features. These allow programmers to produce Windows applications based on XML. That’s a successor to HTML which allows programmers to create their own tags. Whereas HTML tags only affect they way information appears (for example as bold or an image caption), XML lets you organize data, for example marking a particular section of text as a recipe or a postal address.

The issue, which affects every currently supported version of Windows, would allow a hacker to execute code on a vulnerable machine, arguably the most serious attack which can be launched without physically accessing a computer. For those reasons, this is one of those patches which you really need to apply right away if you don’t use the automatic updates service.

The issue ranked important affects the Server Message Block feature which is a key part of printing and file-sharing over networks. It also has a risk of remote code execution. Computerworld quotes a security expert as saying the network aspect of the vulnerability means anyone running a corporate network should treat the problem as critical, regardless of Microsoft’s rating.

For the second month, Microsoft has also issued an exploitability index which rates how likely it is that hackers will try to take advantage of a vulnerability. Both the issues detailed above get the most severe rating (Consistent exploit code likely): the SMB problem is already known in the hacker community, while the XML vulnerability will be particularly tempting to criminals as it could allow them to steal data a user sends to a legitimate Web site.

Related:

Microsoft makes tenuous ‘critical-free’ claim for Patch Tuesday

Microsoft officially releases Vista patches, no word yet on SP1

Microsoft patches PowerPoint but Mac users left out

Windows Vista testers not getting security updates via Windows Update

More Vista SP1-related patches coming Tuesday

Entry was posted on Tuesday, November 11th, 2008 at 3:28 pm under Microsoft, Security, Vista, xp.  Print This Post

Read more entries by John Lister.
Stumble It!