November 12, 2008

Microsoft Releases Two Patches Long-Known Security Issues

Microsoft Corp on Tuesday released two security patches for Windows and Office, including one to fix a critical flaw that was discovered almost two years ago.

Microsoft said the critical patch fixes three separate flaws in XML Core Services, the component that not only provides interoperability between several scripting languages -- including JScript and Visual Studio -- and XML applications, but more importantly allows Internet Explorer to render XML-based content.

"The XML Core Services vulnerability is more of a concern, because it will have more of an opportunity to be exploited," said Ben Greenbaum, a senior research manager at Symantec Corp.

Microsoft began sharing technical details of new vulnerabilities last month so that developers could make new updates before the public announcement.

One patch - MS08-068 - labeled "Ëœimportant', is titled "Vulnerability in SMB Could Allow Remote Code Execution (957097)". This bulletin addresses the vulnerability detailed in CVE-2008-4037. Microsoft says an attacker "who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."

The second patch - MS08-069 - titled "Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)," was labeled "Ëœcritical' and Microsoft recommended that customers apply the update immediately. MS08-069 patched three bugs, one of which was pegged with a CVE (Common Vulnerabilities and Exposures) label in early 2007, and according to Microsoft, went public more than 22 months ago.

Microsoft said "the most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer."

It was in early 2007 that Polish security researcher Michal Zalewski, who currently works for Google Inc., posted details about several Internet Explorer flaws to the Bugtraq mailing list.

Zalewski also claimed that he had first brought up the problem six months before that, when he described a flaw in Mozilla Corp.'s Firefox and said that other browsers were unlikely to be immune.

This is the second month that Microsoft has posted estimates in its Exploitability Index of how likely it is that attack code would be generated in the next 30 days. The company pinned the Zalewski bug with its second-highest ranking: "inconsistent exploit code likely."

Last month, Microsoft fixed 20 flaws on its scheduled patch day and then nine days later issued an emergency update to stymie active attacks. That final vulnerability was exploited by even newer malware within days.


On the Net: