Microsoft to Fix Two Windows Holes on Patch Tuesday

By Lisa Vaas  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Possible candidates for patching are a Macrovision driver flaw and a flaw that's been letting in rigged PDFs.

Patch Tuesday will bring two security bulletins from Microsoft, one of which is critical and involves a remotely exploitable hole on Windows systems, the other of which is rated important and also affects Windows.

eEye's Zero-Day Tracker, as of Nov. 9, is listing three active zero-day Windows and Internet Explorer vulnerabilities, all of which have been publicly disclosed and/or used in attacks, none of which have been patched.

The critical patch promised for the Nov. 13 Patch Tuesday could well be a flaw in a Macrovision driver on Windows XP and Windows 2003. That vulnerability was actively being exploited in the wild as of Nov. 5, when Microsoft sent a special security advisory to warn customers of the danger of complete system takeover.

Microsoft said at the time that Vista is immune to the vulnerability, which is a memory corruption error in the Macrovision Security Driver when processing user-supplied data. The vulnerability can be used by local attackers to gain so-called Ring 0 privileges—a hierarchical level with the most privileges and which interacts most directly with physical hardware, including the CPU and memory.

Similarly, the critical patch expected on Patch Tuesday affects Windows XP and Windows 2003, not Vista, meaning there's a good chance that is the bug that's next up for a fix.

Microsoft might also be planning to release a security update to fix the Windows hole that's been letting attackers run wild with rigged PDF files. The company put out a special security advisory on Oct. 25 regarding that exploit, which has involved a wave of malware spamming in late October that reached what security researchers called "massive" proportions.

The important Windows update concerns spoofing, Microsoft said in its monthly security bulletin advance notice.

Both the updates will require a restart except under certain conditions with the one marked "important." In the case of both updates, Microsoft Baseline Security Analyzer can detect whether a system requires the update.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...