 |
|
||||
|
XML at the Core of Microsoft Patch TuesdayBy Pedro HernandezNovember 11, 2008
This month's critical update involves three vulnerabilities in Microsoft XML Core Services (MS08-069). Affected software includes Windows 2000 SP4, XP SP2/SP3, Server 2003, Server 2008 and Vista. Microsoft Office 2003 and 2007 are also affected. The vulnerabilities stem from how XML Core Services parse XML content (CVE-2007-0099); handle error checks for external document type definitions (CVE-2008-4029); and how they handle transfer-encoding headers (CVE-2008-4033). "Due to the foundation requirement of XML in Windows and Windows applications, the XML Core Services has been a target of many security researchers in the past. Attacks perpetuated on XML Core Services are always client-side and most often browser-borne, where the user will unsuspectingly open a web page," explains Andrew Storms, Director of Security, for network security company nCircle. The severity of the alert is also a clue to Microsoft's vulnerability rating methodologies. "In keeping with Microsoft's unofficial trend, client-side web based attacks have been deemed critical. Today's update to XML Core services continues that trend." Today's second patch targets a vulnerability in the Server Message Block (SMB) Protocol (MS08-068), which affects Windows 2000 SP4, XP, Server 2003, Server 2008 and Vista. The problem originates in the way the protocol handles NT LAN Manager (NTLM) credentials. Making matters worse is the fact the popular Metasploit toolkit has a leg up on Microsoft when it comes to this hole in their code. Mr. Storm's colleague, Tyler Reguly, a Security Research Engineer at nCircle, explains, "Metasploit’s SMB_Relay module greatly reduces the effort required to take advantage of this attack, allowing users to set up a fake web page pointing to a host running Metasploit and exploiting each machine. This ease of attack and the fact that the attack is already easily accessible to the public may mean we see increased exploitation compared to what we would usually see." But the bigger challenge for enterprises comes in the form of an insider with a little skill. "We continue to see an increased risk from insider threats. SMB Redirection is the ultimate insider attack in today's enterprise environment, where IE is often the corporate standard and can be made to pass credentials when a user simply visits a web page," he warns. "People use their credentials every day inside the enterprise and generally don't even think about it." Lastly, Microsoft's Malicious Software Removal Tool has been updated to detect FakeSecSen, a family of fake virus alerting software, and the Gimmiv Trojan.
|
|
|
|
Email
Print
Digg This
Add to del.icio.us
Microsoft issued just two bulletins for this month's patch Tuesday, but considering 
