Wow, November is upon us already! Time flies when you are having fun and working hard. With that in mind, I hope I can make life easier for you by extracting some of the salient information from this month's security bulletins.
Our release is comprised of two bulletins this month, but first let me cover the out-of-band release that took place after October's regularly scheduled bulletin release.
October out-of-band releaseMS08-067
Through internal sensors we discovered a limited number of exploit attempts that targeted a previously unknown vulnerability affecting all supported versions of Windows. As a result, we immediately initiated our Software Security Incident Response Process and started developing and testing a security update. On October 23, we released MS08-067 as an out-of-band security update to protect our customers.
In particular, this update addressed a vulnerability in the server service that could allow remote code execution. It is possible that this vulnerability could be used in the crafting of a wormable exploit on Microsoft Windows 2000, Windows XP and Windows Server 2003 systems. On Windows Vista and Windows Server 2008 machines, however, the vulnerability could only be exploited by an authenticated user, due to changes introduced by User Account Control (UAC).
As we continued monitoring the threat landscape after the release of the update, we found that the detailed exploit code for the vulnerability had been published on the Internet. This exploit code demonstrated code execution on Windows 2000, Windows XP and Windows Server 2003. We then issued an advisory to alert customers that the threat landscape had changed and reminded them of the prescriptive guidance provided in MS08-067. At the heart of this guidance, we encouraged customers to deploy the security update as soon as possible.
November Bulletin ReleaseMS08-068
This bulletin addresses a remote code execution vulnerability in Server Message Block (SMB). SMB mishandles NTLM credentials when a user attempts to authenticate to an attacker's SMB server. To mitigate possible exploit of this vulnerability, block TCP ports 139 and 445 at the firewall. Windows Vista and Windows 2008 are only rated as "moderate" in this bulletin, whereas Windows 2000, Windows XP and Windows Server 2003 are rated as "important." MS08-069
There are three vulnerabilities in MSXML Core Services being addressed in this bulletin. The cumulative rating is "critical." However, only Microsoft XML Core Services 3.0 has this rating. Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0 and Microsoft XML Core Services 6.0 are rated as "important." Microsoft XML Core Services are included in several Microsoft products and more than one version can be installed on a single system. The bulletin provides detailed guidance and will save you time in your deployment strategies.
Last month I also covered the debut of the Microsoft Exploitability Index. I want to highlight it again.
The Exploitability Index provides additional information to help prioritize the deployment of monthly security bulletins. This index is designed to provide guidance on the likelihood of functional exploits, based on the vulnerabilities addressed by Microsoft security bulletins.
To help you better understand how it works, my colleague, Christopher Budd, wrote an excellent article entitled, Understanding How to Use the Microsoft Security Response Center Exploitability Index. I encourage you to review the article and integrate it into your risk assessment methodology.
In closing, please take a moment and register for our monthly security bulletin webcast, which will be held on Wednesday, Nov. 12 at 2 p.m. EDT.
Christopher Budd and Adrian Stone will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session, they will answer your questions with information from our assembled panel of experts. If you are not able to view the live webcast, it will also be available on-demand.
In addition, please take a moment and mark your calendars for the December 2008 monthly bulletin. The release is scheduled for Tuesday December 9 and the advance notification is scheduled for Thursday, December 4. Look for the December edition of this column on release day for information to help you plan and deploy the most recent security bulletins.