Teed Up for November: Office, Windows Fixes

Patch Tuesday, Microsoft’s monthly ritual of issuing fixes on the second Tuesday of every month, is a modest affair this month, with only two fixes coming out. But they affect both Windows and Office.

The company today issued two security bulletins, one rated critical and one rated important. Both flaws could allow for remote code execution attacks. The updates apply to users running all supported versions of Windows, including Vista and Windows Server 2008, and Microsoft Office 2003 and 2007.

Users should not be complacent in thinking the errors are not important, said Wolfgang Kandek, CTO of security firm Qualys. “While there is a small number of patches this month, the flawed components are core to both the Windows OS and Windows applications such as Office and Portal servers, etc. and are likely to be found in almost all machines of a typical customer’s installation,” he said in an e-mailed comment to InternetNews.com.

The critical MS08-069 bulletin affects the XML Core Services parse and should be taken seriously, because it could allow for remote code execution attacks simply by visiting a specially crafted Web page with Internet Explorer. MS08-069 affects three known vulnerabilities.

MS08-068 is rated as important and covers a publicly disclosed vulnerability in the Microsoft Server Message Block (SMB) Protocol. This vulnerability allows an attacker to replay the user’s credentials back to them and execute code in the context of the logged-on user. That means someone with administrator’s rights could have full control of the machine.

Kandek said patching should be done as quickly as possible. “Users can easily be tricked into accessing Web sites that can contain exploits for these new vulnerabilities. Companies with a structured patch process should be able to handle this month with slightly less impact than last months’,” he wrote.

In addition to the fixes, Microsoft has updated its Malicious Software Removal Tool, but did not document what changes have been made. The update can be downloaded along with the fixes.

As always, Microsoft will host a Webcast tomorrow to discuss the patches. It will take place at 11 a.m. Pacific Standard Time.