Microsoft patches critical XML Core Services flaw

By Robert Westervelt, News Editor 11 Nov 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Only 18 days after issuing an emergency out-of-band patch, Microsoft Tuesday lightened the burden on administrators, issuing only two bulletins to correct flaws in XML Core Services and an error in the Server Message Block. Only one flaw was rated critical.

The XML Core Services allow other applications literally to talk to XML documents … so it impacts a wide range of platforms Paul Henry, security and forensic analyst, Lumension Security

Three flaws are contained in versions of XML Core Services, used in a variety of programs in Microsoft Office and Microsoft Windows. The software maker said an attacker could exploit the flaw remotely to gain access to critical data and take control of an affected machine, according to Microsoft bulletin MS08-069.

Microsoft XML Core Services 3.0 was given the rating of critical. Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0 and Microsoft XML Core Services 6.0 are rated as important. In his monthly column, Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), warned that companies may have more than one version of XML Core Services installed on a single system.

In an email statement, Alfred Huger, vice president of Symantec Security Response, said the critical XML Core Services flaw was discovered in January 2007.

"The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective," Huger said.

Security patching news: Attackers target critical Adobe PDF flaw: The SANS Internet Storm Center (ISC) warns that attackers may be attempting to exploit flaws in Adobe Reader to hijack computer systems. Adobe issues patch for critical PageMaker flaws: Flaws in Adobe PageMaker could allow a hacker to take control of an affected system. Trojan exploiting Microsoft RPC flaw: (Security Bytes blog) A new Trojan exploiting the Microsoft RPC flaw propagates automatically through networks and finds cached passwords.

Microsoft also addressed a remote code execution vulnerability in the Server Message Block (SMB). In Microsoft bulletin MS08-068, the software maker said the problem affects Windows authentication protocols. When a user attempts to authenticate to a malicious SMB server, the SMB mishandles the challenge/response procedure. An attacker who successfully exploits the vulnerability could install programs; view, change or delete data; or create new accounts with full user rights, Microsoft said.

As a workaround, Sisk said TCP ports 139 and 445 can be blocked at the firewall. The flaws are rated moderate on Windows Vista and Windows 2008 and were given an important rating on Windows 2000, Windows XP and Windows Server 2003.

The SMB flaw was given a 1 on Microsoft's new Exploitability Index, indicating that Microsoft expects exploit code in the wild within a 30-day window. Lumension's Henry said that the SMB requires an urgent response.

"Anytime a bad guy can execute code remotely is troubling," Henry said.

"Recently there's been a slew of these server side attacks that are far more interesting for hackers to play with," Schultze said. "Even though it's a light patch month admins still have a lot of work to do."

SearchSecurity radio:

Microsoft is still monitoring malware in the wild, attempting to exploit a remote procedure call (RPC) flaw that was patched in its MS08-067 emergency bulletin. The fix marked only the fourth time that Microsoft released a security patch outside of its monthly cycle. Within hours after the patch release, security researchers reported the discovery of Trojans attempting to exploit the flaw in the wild.

"The speed at which the bad guys today can take a patch and run a binary dif on it to understand what that patch is doing and come up with exploit code is down to about an hour," Henry said. "The window has really shrunk over the last year or so."

Last week, Symantec's Security Response research team warned users that it was tracking a new worm, W32.Wecorl, that was targeting vulnerable machines in China. A second worm, W32 Kernelbot.A, has the ability to silently download malicious software and connect a victim's machine to a botnet. Microsoft has been urging customers to deploy the patch since the bulletin was released on Oct. 23.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary