Microsoft on Tuesday released its November 2008 security bulletin, including one patch rated 'critical'.
The critical bulletin affects Microsoft XML Core Services and Internet Explorer, while the 'important' bulletin affects Microsoft Server Message Block (SMB) Protocol. Both affect all versions of Windows.
From October, Microsoft began sharing the technical details of new vulnerabilities to give software developers a chance to update affected products before the public announcement. Microsoft is including within each bulletin an 'exploitability index' to help system administrators prioritise the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
MS08-068: Important
Exploitability index: 1. Microsoft recommends customers apply the update at the earliest opportunity. Titled 'Vulnerability in SMB could allow remote code execution (957097)', this bulletin is important for all supported editions of Microsoft Windows 2000, Windows XP and Windows Server 2003, and moderate for all supported editions of Windows Vista and Windows Server 2008. This bulletin addresses the vulnerability detailed in CVE-2008-4037. Microsoft said an attacker "who successfully exploited this vulnerability could install programs; view, change or delete data; or create new accounts with full user rights".
MS08-069: Critical
Exploitability index: 1-2. Microsoft recommends customers apply this update immediately. Titled 'Vulnerabilities in Microsoft XML Core Services could allow remote code execution (955218)", this bulletin is rated critical for Microsoft XML Core Services 3.0 and important for Microsoft XML Core Services 4.0, Microsoft XML Core Services 5.0 and Microsoft XML Core Services 6.0. This bulletin replaces MS07-042 and addresses the three vulnerabilities detailed in CVE-2007-0099, CVE-2008-4029 and CVE-2008-4033. Microsoft said: "The most severe vulnerability could allow remote code execution if a user viewed a specially crafted web page using Internet Explorer".
Talkback
Microsoft are really serving the customers well in providing a predictable 'patch tuesday' issue of patches, and this report certainly provides us excellent guidance on the issues behind the patches. But how do I quickly identify which of my systems need patching?
We know that any computer that is exposed to the internet, any unsanctioned applications, or unprotected storage devices can be infected with viruses, Trojans, worms, keyloggers, spyware, rootkits, and other malware - often as a result of unknown vulnerabilities.
By preying upon such vulnerabilities in operating systems and applications – from ubiquitous internet browsers to email and office productivity suites – these infections can quickly lead to stolen data, disrupted operations, and threats to the privacy of customers and employees. In 2007 alone, well over 6,000 new vulnerabilities were reported, an average of 124 per week. Nearly 90% of those vulnerabilities could be exploited remotely. In addition, poorly installed or misconfigured devices can create vulnerabilities that allow data corruption, eavesdropping, and theft.
As vulnerabilities can be found literally everywhere – from gateways and routers to DNS servers, web servers, desktops, and laptops – many IT departments run a “catch as catch can” defense. But using swarms of IT personnel to constantly hunt down vulnerabilities, figure out and then apply the appropriate patches, and hope for the best is a waste of resources.
Automating the vulnerability management lifecycle – discovery, assessment, prioritisation, remediation, and reporting – lets you keep your information resources safe from external threats around the clock, freeing IT personnel to work on business-focused projects.