Welcome to the November 2008 edition of TechRepublic’s Patch Tuesday coverage! The big news since the last Patch Tuesday was the October 23, 2008, out-of-band patch. If you are running Windows 2000, XP, or 2003 and have not applied this one yet, you need to, since there are exploits for it running around now. It is only “Important” for Vista and 2008 users. Now, on to today’s patches!
MS08-068 / KB957097 – Important (2000, XP, 2003) / Moderate (Vista, 2008): The Microsoft SMB handlers have a vulnerability that allows remote code execution. This is not a critical concern, since you should not be exposing SMB across the Internet, but it is still important to get it patched. This patch is for 32-bit and 64-bit editions of Windows 2000, XP, Vista, Server 2003, and Server 2008 (including Server Core). Note the lower priority on Vista and Server 2008.
MS08-069 / KB954430 / KB954459 / KB955218 / KB955069 – Low to Critical (depending on the precise system): This set of patches (different patches for the same bug) addresses a number of problems with the Microsoft XML Core Services (MSXML). At worst, it allows remote code execution attacks to occur, using IE as an attack vector. Luckily, locked-down users are less of a risk than administrative users.
The criticality is “critical” for MSXML 3.0, “Important” for MSXML 4.0, 5.0, and 6.0. Because MSXML is used not only for IE, but in Office and in the Office Server products, this patch applies to just about every system under the sun. I think that instead of trying to figure out if this patch is truly critical to you, you should play the “better safe than sorry” game and treat it as critical.
Also of note: this patch seems to have a few conflicts and issues in it (ugh); luckily, these issues seem confined to systems with older copies of MSXML installed. Additionally, the conflicts do not seem deadly, just annoying (it will fail to install depending upon what other items are being installed at the same time). On Vista, if you are using MSXML 4 SP2, make sure that you install the update in KB941833 as well to improve reliability.
KB957200: This is a minor bug to fix a problem with the error-reporting feature in Vista and Server 2008 64-bit editions. I don’t think many people get much value out of reporting those errors, but if you really think it’s important to do those error reports and you installed SP1 to Vista or Server 2008 after the initial installation (the only affected configurations), install this patch.
The Usual Suspects: Updates to the Malicious Software Removal Tool, Junk e-mail filters, Defender, group policy client side extensions, and the system update readiness tool.