Microsoft pushes out 11 security bulletins as part of October's Patch Tuesday. Microsoft also unveils its Exploitability Index, which includes information about vulnerabilities that are likely to be exploited. Four of the 11 bulletin cover security issues are rated critical.Microsoft released 11 security bulletins for Patch Tuesday Oct. 14 as well
as a new measuring stick to judge them by.
The "Exploitability Index" appears as a new table on the monthly Microsoft
Security Bulletin Summary. Next to each bulletin is an additional rating
based on how likely it is that the vulnerability will be exploited. An
additional column is for notes with extra information.
"Exploitability Index is way to provide more information to aid
customers in their risk management process," wrote Steve Adegbite on the MSRC
(Microsoft Security Response Center) blog.
Of the 11 bulletins, four are rated "critical." The critical
bulletins cover remote code execution issues in Internet Explorer, Active
Directory, Host Integration Server's Remote Procedure Call Service and Office
Excel.
What
gets a security bulletin a "critical" rating? Click here for Security Center Editor Larry Seltzer's analysis of vulnerability rating systems.
The Internet Explorer bulletin deals with five issues that can be exploited
if a user views a malicious Web page. Two of the five—an event-handling
cross-domain vulnerability and an HTML element cross-domain vulnerability—are
prime candidates for the development of consistent exploit code, according to
the index.
The Excel bulletin fixes three vulnerabilities, including a formula parsing
issue that is also considered a likely candidate for exploit code. The Host
Integration Server vulnerability was declared likely to be exploited as well,
and affects versions 2000, 2004 and 2006.
Red
Hat, Canonical and Novell are increasing security features in their Linux
distributions. Click here to read more.
But administrators should not underestimate the Active Directory issue,
which Shavlik Technologies CTO Eric Schultze
warned is dangerous.
"If I am a customer running a network with Windows 2000 Active
Directory, I would be very scared because now any user on my network can become
domain administrator and can take over my network," Schultze said. "I
think Microsoft is only somewhat saved by the fact that they believe that not
many people are running Windows 2000 Active Directory anymore. I would think
that you still probably have quite a bit out there."
Six of the remaining bulletins were rated important,
and address issues in the Microsoft Ancillary Function Driver, the Windows
Kernel, Microsoft Server Message Block Protocol, Virtual Address Descriptor,
Message Queuing and the Windows Internet Printing Service. The final bulletin
is rated "moderate" and fixes a vulnerability in Microsoft Office
that could lead to data disclosure.
/ 8 
