November's patch drop promised to be a much smaller release than in several recent months when Microsoft (NASDAQ: MSFT) gave administrators advance notice last Thursday.
All in all, Microsoft released a total of six patches, three of them ranked "critical" on Microsoft's four-tier severity scale. Critical is the highest threat level, followed by "important."
Unlike several recent bug fixes, though, only one of the bugs repaired in this month's patch drop ended up as a so-called zero-day (define) attack. Microsoft said in its security bulletin that while the bug had been responsibly disclosed to Microsoft, by the time it had prepared a patch, details of the exploit were already circulating on the Web.
That bug -- known as the Embedded OpenType font kernel vulnerability -- is the most important one to patch right away, according to Ben Greenbaum, senior research manager at Symantec Security Response.
"Not only is proof-of-concept exploit code publicly available, but all that's required of a user to become infected by it is simply viewing a compromised Web page," Greenbaum said in an e-mail to InternetNews.com.
Sheldon Malm, senior director of security strategy at Rapid7, agrees. This flaw "is the top priority this month, with three vulnerabilities rolling up to remote code execution against XP, 2000, and Server 2003 [and] elevation of privilege against Vista and Server 2008," Malm said in an e-mail.
Two other critical bugs fixed by the same patch have not yet been used in attacks in the wild as of the patches' release, Microsoft said in its security bulletins.
Peripheral software, Office and Active Directory security flaws
A second patch in today's Patch Tuesday installment fixes a critical bug in a part of Windows known as Web Services on Devices. It affects Windows Vista and Windows Server 2008.
"Web Services on Devices enables a Windows client to discover and access remote devices, such as personal digital assistants (PDAs) and computer peripherals, including printers and cameras, as well as consumer electronics," Microsoft's security bulletin said. There have been no attacks so far via that potential exploit, it added.
The third critical patch fixes a hole in Windows' License Logging service, a server-based product that helps administrators keep track of software licenses. However, the logging service fix only impacts Windows 2000 Server Service Pack 4 -- the last supported version of the nearly decade-old operating system.
Besides the critical bugs, Microsoft also patched a hole in Active Directory that is rated "important" and which could result in a denial of service attack that could crash the service.
Finally, the company issued two patches that fix multiple important flaws in Microsoft Office -- specifically in Excel and Word. The Excel bugs affect Office XP up through Office 2007, while the Word bug impacts XP through Office 2003.
Microsoft has posted the security bulletins and their associated patches here.
Article courtesy of InternetNews.com.