Microsoft released 11 security bulletins for Patch Tuesday Oct. 14 as well as a new measuring stick to judge them by.
The “Exploitability Index” appears as a new table on the monthly Microsoft Security Bulletin Summary. Next to each bulletin is an additional rating based on how likely it is that the vulnerability will be exploited. An additional column is for notes with extra information.
“Exploitability Index is way to provide more information to aid customers in their risk management process,” wrote Steve Adegbite on the MSRC (Microsoft Security Response Center) blog.
Of the 11 bulletins, four are rated “critical.” The critical bulletins cover remote code execution issues in Internet Explorer, Active Directory, Host Integration Server’s Remote Procedure Call Service and Office Excel.
The Internet Explorer bulletin deals with five issues that can be exploited if a user views a malicious Web page. Two of the five-an event-handling cross-domain vulnerability and an HTML element cross-domain vulnerability-are prime candidates for the development of consistent exploit code, according to the index.
The Excel bulletin fixes three vulnerabilities, including a formula parsing issue that is also considered a likely candidate for exploit code. The Host Integration Server vulnerability was declared likely to be exploited as well, and affects versions 2000, 2004 and 2006.
But administrators should not underestimate the Active Directory issue, which Shavlik Technologies CTO Eric Schultze warned is dangerous.
“If I am a customer running a network with Windows 2000 Active Directory, I would be very scared because now any user on my network can become domain administrator and can take over my network,” Schultze said. “I think Microsoft is only somewhat saved by the fact that they believe that not many people are running Windows 2000 Active Directory anymore. I would think that you still probably have quite a bit out there.”
Six of the remaining bulletins were rated important, and address issues in the Microsoft Ancillary Function Driver, the Windows Kernel, Microsoft Server Message Block Protocol, Virtual Address Descriptor, Message Queuing and the Windows Internet Printing Service. The final bulletin is rated “moderate” and fixes a vulnerability in Microsoft Office that could lead to data disclosure.