Microsoft announces six updates for Patch Tuesday
Microsoft intends to release six security-critical updates this coming Tuesday. One of the updates closes a hole in the XML Core services. Just how many holes will be closed in all by the updates is unclear – it has frequently been the case in the past that one update corrects several vulnerabilities at once. The software giant also announced two non-security related updates that it nevertheless classifies as high priority, to be distributed via Microsoft Update and the WSUS update server.
Exploit code is readily available for the security hole in version 4.0 of the XML Core services. This malicious code is already being used by criminals on diverse websites. Microsoft is therefore classifying the patch as critical; applying the patch then requires a reboot of the affected machine. Five other security updates affect Windows operating systems. At least one of these updates is considered critical by Microsoft. Several of those updates require a reboot to be activated.
One apparent omission is the security hole in PowerPoint that was discovered and has been exploited since shortly after the October Patch Tuesday; Microsoft did not announce any patches for Office. The developers may have corrected a flaw in the daxctle.ocx ActiveX control for DirectAnimation, which has been actively exploited to compromise Windows machines for two months now.
Microsoft's Patch Tuesday announcement does not indicate whether the update to Internet Explorer 7 is considered security-related or whether it belongs to the five Windows updates. Anyone interested in preventing the software from automatically updating should read this article from heise Security.
- Microsoft Security Bulletin Advance Notification, Patch Tuesday announcement from Microsoft