Well it only seems like a couple of weeks since the last patch from Microsoft (well it kinda was really), doesn't time fly when your having fun. Here we have the November Patch round up, we have just two patches this month, one rated Critical by Microsoft and the other rated Important. 

 

The first of the patches this month is MS08-069, it is rated as Critical and affects XML Core services and represents three vulnerabilities with the XML Core services all Windows Platforms and Office 2003 and Office 2007. Two of the issues CVE-2008-4029 and CVE-2008-4033 are relativity lower risk than the third which is CVE-2007-0099. 

CVE-2007-0099 is a buffer overflow issue that could allow an attacker to execute arbitrary code on a vulnerable system should the user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail.

CVE-2008-4029 is a DTD Cross-Domain Scripting Vulnerability, the issue occurs because of the way that Microsoft XML Core Services handles error checks for external document type definitions (DTDs).

CVE-2008-4033 is an information disclosure vulnerability exists in the way that Microsoft XML Core Services handles transfer-encoding headers.

In MS08-068 Microsoft addresses CVE-2008-4037 known as SMB Credential Reflection Vulnerability. This issue is a remote code execution vulnerability in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker's SMB server. 

The vulnerability allows the attacker to replay the user's credentials back to them and execute code in the context of the logged-on user on the users machine. The attacker can then execute commands on this machine in the context of the user, potentially as many users run as administrator, execute system commands with administrator rights.

This final issue affects all releases of the Windows Platform, from Windows 2000 through Windows Vista and Windows 2008.

It is highly recommended that both patches are installed as soon as possible, as a gentle reminder don't forget to install MS08-067 too if you haven't already. We've already seen many network administrators caught on the hop with that patch and not push it out in a timely manner.