Microsoft issued two bulletins this week, one critical, repairing a serious vulnerability affecting its server line. In addition, the software giant issued a revised Exploitability Index, expanding it to take into account the latest versions of its software.
Microsoft released a “critical” bulletin, patching a vulnerability affecting Windows server 2003 and 2008. The update fixes a privately reported vulnerability in the Windows Internet Name Service (WINS), a DNS service for NetBIOS, which is a local area network API. The vulnerability allows attackers to execute code remotely if a user receives a specially crafted malware file on a WINS system. Only customers who installed the WINS component are affected the issue.
In addition, Microsoft issued an “important” bulletin, repairing two vulnerabilities in Microsoft PowerPoint. The flaws, a memory corruption error and a buffer overflow vulnerability, could allow remote code execution if a user opens a malicious PowerPoint file. The update affects users of Microsoft PowerPoint 2002, 2003, 2007 and Microsoft Office 2004 and 2008 for Mac.
Amol Sarwate, manager of the vulnerability research lab at Qualys felt that the lesser-ranked PowerPoint vulnerability could be more dangerous than the WINS vulnerability because WINS is not deployed by default.
Jason Miller, a data team manager at St. Paul, Minn.-based Shavlik Technologies LLC, downplayed the PowerPoint flaws. Miller said organizations that use PowerPoint more often, should be more concerned and apply the patches as soon as possible. “Across the board … PowerPoint presentations are used less than word documents or Excel [spreadsheets],” Miller said.
Revised Exploitability Index
Microsoft is taking a new approach to its Exploitability Index, a number assigned to a flaw that indicates the likeliness that exploit code will surface in the wild. The index is designed to help IT administrators prioritize patching deployments.
“Each vulnerability rating is based on a thorough review by the MSRC Engineering team, as well as close cooperation with a number of key partners,” wrote Maarten Van Horenbeeck a senior security program manager at Microsoft in the MSRC Blog.
The revamped index will include two index ratings per vulnerability, assigning a rating for the most recent platform and for older versions of the software. “It gives a more accurate representation of the customer’s [system],” said Qualys’ Sarwate.
The index will also take into account the risk posed by denial-of-service (DoS) attacks, which can cause a system to become unresponsive or crash. The index will indicate whether a DoS attack would be “permanent,” making a program or operating system crash and causing it to be unresponsive during an attack.