Microsoft's November security update will target Windows and XML

 

Gallery

By Matt Whipp

Posted on 10 Nov 2006 at 12:26

Microsoft has said it will issue six security bulletins in its November security update affecting Microsoft XML Core Services and Windows.

The one affecting the XML Core Services and at least one of the five affecting Windows are rated as Critical - Microsoft's most severe security rating.

Sysadmins will be hoping the fixes shore up systems currently at risk from a series of unpatched security holes that attackers are already trying to breach.

The update for XML Core Services might be the fix for Windows' XMLHTTP 4.0 ActiveX Control current mishandling certain requests that can lead to an attacker being at liberty to run code remotely on a target machine. According to Secunia, attack code is already in the public domain.

Security experts at Finjan have also warned of further as yet unpatched security issues which are being exploited by attackers.

It says an error in an ActiveX control in Visual Studio 2005 on Windows can lead to remote code execution, rating it as 'extremely critical'. Additionally, a memory corruption vulnerability exists in Microsoft's daxctle.ocx ActiveX, which is also described as 'extremely critical'.

A less severe problem exists in the ADODB.Connection ActiveX control, which an attacker can use in a DOS attack. Finjan says that exploit code for all of these flaws is already available and that attacks are becoming increasingly frequent.