On the second Tuesday of each month, Microsoft releases security updates for both Windows and specific programs. It sends it out via the automatic Windows Update service and also makes the updates available to manually download.
The November update has four fixes, taking care of two particularly notable problems. (This is a surprisingly low number by Microsoft standards.) Each problem is rated for the potential damage it could cause if a hacker took advantage.
This month one problem is rated ‘critical’, the most serious rating. It affects a feature called Microsoft XML Core Services. (XML is a successor to the better-known HTML system used
to create web pages.) The bug affects every currently supported version of Windows (that is, Windows 2000 onwards) and could allow hackers to control a machine once a user visits a malicious web page or opens an infected e-mail.
The other problem, rated ‘important’, affects Server Message Block, a feature which helps features such as filesharing and printer networking to work. A firewall should block this problem (see my article on firewalls for details on how they work), but some security experts are warning that businesses with large internal networks need to treat this problem particularly seriously.
Even if you don’t use the automatic update service, you should still strongly consider manually downloading the relevant update if you use any of these applications. Failing to plug these loopholes could lead to serious problems, even for sensible users who don’t generally take any security risks.
Wherever necessary, Microsoft issues kill bits to deal with security problems in third-party software that could cause problems in Windows. A kill bit is an entry in the Windows Registry which blocks the relevant software from running Active X content (a type of interactive feature which can be vulnerable to hacking in some cases). This month there are no kill bits in the update.
While every Microsoft security bulletin rates problems for the damage they could cause if exploited, this is the first bulletin which also predicts how likely it is that hackers will exploit each problem. Microsoft hopes this added detail will be particularly useful in helping IT staff decide which problems to give priority to when monitoring and updating the security on a network.
The rating considers the next 30 days, which is when there’s the biggest risk. That’s because hackers can look at the fixes, figure out exactly what the original bug was, and try to take advantage of the holes before people get around to applying the updates.
Both the problems detailed above have the most serious ranking, "Consistent exploit code likely." That’s because hackers are already aware of the SMB problem, and they’ll be particularly eager to exploit the XML problem as doing so could allow them to steal any information you type into legitimate websites, including passwords.
For this reason, it’s vital to apply the patch for the XML problem.
Occasionally Microsoft issues what it calls an ‘out of cycle’ update – in other words, an emergency patch for a problem that is too serious to leave until the next monthly update.
One of
these patches came out between the current and previous monthly updates, dealing with a problem which could allow viruses to spread much more quickly than usual. If you haven’t installed this patch (or you are uncertain whether you have), read about it at:
http://www.brighthub.com/computing/windows-platform/articles/14622.aspx