Patch Tuesday Light, But Security Fixes Are Critical

Microsoft on Tuesday patched four vulnerabilities in two security updates for Windows and Microsoft Office. Compared to recent Patch Tuesdays, November is a light month and Microsoft did some housecleaning by fixing a critical bug disclosed nearly two years ago.

MS08-069 is the most serious of the November updates, fixing three individual flaws in Microsoft XML Core Services. This vulnerability went public more than 22 months ago. The other update, MS-08-068, is rated important and fixes a flaw in the Server Message Block (SMB) protocol.

The critical vulnerability in XML has been around since January 2007, according to Alfred Huger, vice president of Symantec Security Response.

"Proof of concept code for this issue that causes the browser to crash was publicly released some time ago. However, at present we are not aware of any publicly available exploit code," Huger said. "An attacker would have to get a user to view a compromised Web page or click on a malicious link to exploit the issue. When the specially crafted XML in the page is processed, remote code execution will occur. The XML code to exploit this is somewhat complex to set up, but it only takes one little click from a user to be effective."