Microsoft released six updates for its software on its regularly scheduled patch day on Tuesday, fixing at least 15 security holes, including three vulnerabilities in the Windows kernel.
http://blogs.technet.com/msrc/archive/2009/11/10/november-2009-security-bulletin-release.aspxThe update patches severe issues in the License Logging service and the Web Serivces on Devices API, as well as critical vulnerabilities in the Win32k kernel. The most severe issue, caused by the incorrect handling of font data, is rated Critical for Windows 2000, Windows XP and Windows 2003.
"The vulnerability allows for remote code execution, and the attack code can be embedded inside MS Office files or be hosted on Web sites," Andrew Storms, director of security operations for network protection firm nCircle, said in a statement. "Simply browsing an infected Web site will compromise unsuspecting users ... A lot of people will try to be the first to publicly post exploit code."
Microsoft also patched nine vulnerabilities in Microsoft Office and a single vulnerability in Active Directory, the company's identity-management and credentialing server.
Six of the vulnerabilities were considered to likely lead to functional exploit code in the next month, according to Microsoft's exploitability ratings. The company predicted that eight of the issues might lead to unreliable exploit code, while a single flaw would be unlikely to be exploited.
(sfocus)