No big surprises from Microsoft this tuesday; there were no changes in the list of patches that were announced earlier. There are just two:
MS08-068 is a patch for the Server Message Block (SMB) Protocol on all currently supported versions of Windows; the bug can lead to remote code execution with the rights of the logged-on user. The CVE identifier for this is CVE-2008-4037. This is rated as Important for most versions, and Moderate for Vista and 2008. It looks like it’s tricky to exploit:
An attacker would have no way to force users to visit a specially crafted server share or Web site. Instead, an attacker would have to convince them to visit the server share or Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker’s site.
Well, that part is actually pretty easy; the tricky part is hosting a special SMB server that captures the credentials that are sent, and reuse these to connect back to the PC you’re trying to attack. The only part of the entire advisory that caught my eye was the FAQ:
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2008-4037.
Microsoft has an interesting definition of “publicly disclosed”: at the time of writing the CVE entry wasn’t accepted yet (screenshot). I’m sure that will be corrected soon though.
MS08-069 is more serious; it contains several updates for the Core XML Services versions 3 through 6, with the most serious one rated as Critical on all Windows versions. This can also lead to remote code execution when the users clicks a malicious URL. The update fixes three separate issues: