Only 18 days after issuing an emergency out-of-band patch, Microsoft Tuesday lightened the burden on administrators, issuing only two bulletins to correct flaws in XML Core Services and an error in the Server Message Block. Only one flaw was rated critical.
Three flaws are contained in versions of XML Core Services, used in a variety of programs in Microsoft Office and Microsoft Windows. The software maker said an attacker could exploit the flaw remotely to gain access to critical data and take control of an affected machine, according to Microsoft bulletin MS08-069.
Microsoft XML Core Services 3.0 was given the rating of critical. Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0 and Microsoft XML Core Services 6.0 are rated as important. In his monthly column, Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), warned that companies may have more than one version of XML Core Services installed on a single system.
"The XML Core Services allow other applications literally to talk to XML documents … it impacts a wide range of platforms," said Paul Henry, security and forensic analyst at patch management vendor Lumension Security.
In an email statement, Alfred Huger, vice president of Symantec Security Response, said the critical XML Core Services flaw was discovered in January 2007.
"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.
Security patching news:
Adobe issues patch for critical PageMaker flaws: Flaws in Adobe PageMaker could allow a hacker to take control of an affected system.
Trojan exploiting Microsoft RPC flaw: (Security Bytes blog) A new Trojan exploiting the Microsoft RPC flaw propagates automatically through networks and finds cached passwords.
Microsoft also addressed a remote code execution vulnerability in the Server Message Block (SMB). In Microsoft bulletin MS08-068, the software maker said the problem affects Windows authentication protocols. When a user attempts to authenticate to a malicious SMB server, the SMB mishandles the challenge/response procedure. An attacker who successfully exploits the vulnerability could install programs; view, change or delete data; or create new accounts with full user rights, Microsoft said.
As a workaround, Sisk said TCP ports 139 and 445 can be blocked at the firewall. The flaws are rated moderate on Windows Vista and Windows 2008 and were given an important rating on Windows 2000, Windows XP and Windows Server 2003.
The SMB flaw was given a 1 on Microsoft's new Exploitability Index, indicating that Microsoft expects exploit code in the wild within a 30-day window. Lumension's Henry said that the SMB requires an urgent response.
"Anytime a bad guy can execute code remotely is troubling," Henry said.
It also appears that exploit code may have been available for the SMB flaw for nearly eight years, said Eric Schultze, chief technology officer of Shavlik Technologies, LLC. Code has been available for the Metasploit Framework for SMB running on Windows XP.
"Recently there's been a slew of these server side attacks that are far more interesting for hackers to play with," Schultze said. "Even though it's a light patch month admins still have a lot of work to do."
Microsoft is still monitoring malware in the wild, attempting to exploit a remote procedure call (RPC) flaw that was patched in its MS08-067 emergency bulletin. The fix marked only the fourth time that Microsoft released a security patch outside of its monthly cycle. Within hours after the patch release, security researchers reported the discovery of Trojans attempting to exploit the flaw in the wild.
"The speed at which the bad guys today can take a patch and run a binary dif on it to understand what that patch is doing and come up with exploit code is down to about an hour," Henry said. "The window has really shrunk over the last year or so."
Last week, Symantec's Security Response research team warned users that it was tracking a new worm, W32.Wecorl, that was targeting vulnerable machines in China. A second worm, W32 Kernelbot.A, has the ability to silently download malicious software and connect a victim's machine to a botnet. Microsoft has been urging customers to deploy the patch since the bulletin was released on Oct. 23.