Microsoft Releases Patch Tuesday Fixes with New Exploitability Index | eWeek

Microsoft Releases Patch Tuesday Fixes with New Exploitability Index

Written By
Brian Prince
Brian Prince
Oct 14, 2008
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft released 11 security bulletins for Patch Tuesday Oct. 14 as well as a new measuring stick to judge them by.

The “Exploitability Index” appears as a new table on the monthly Microsoft Security Bulletin Summary. Next to each bulletin is an additional rating based on how likely it is that the vulnerability will be exploited. An additional column is for notes with extra information.

“Exploitability Index is way to provide more information to aid customers in their risk management process,” wrote Steve Adegbite on the MSRC (Microsoft Security Response Center) blog.

Of the 11 bulletins, four are rated “critical.” The critical bulletins cover remote code execution issues in Internet Explorer, Active Directory, Host Integration Server’s Remote Procedure Call Service and Office Excel.

What gets a security bulletin a “critical” rating? Click here for Security Center Editor Larry Seltzer’s analysis of vulnerability rating systems.

The Internet Explorer bulletin deals with five issues that can be exploited if a user views a malicious Web page. Two of the five-an event-handling cross-domain vulnerability and an HTML element cross-domain vulnerability-are prime candidates for the development of consistent exploit code, according to the index.

The Excel bulletin fixes three vulnerabilities, including a formula parsing issue that is also considered a likely candidate for exploit code. The Host Integration Server vulnerability was declared likely to be exploited as well, and affects versions 2000, 2004 and 2006.

Red Hat, Canonical and Novell are increasing security features in their Linux distributions. Click here to read more.

But administrators should not underestimate the Active Directory issue, which Shavlik Technologies CTO Eric Schultze warned is dangerous.

“If I am a customer running a network with Windows 2000 Active Directory, I would be very scared because now any user on my network can become domain administrator and can take over my network,” Schultze said. “I think Microsoft is only somewhat saved by the fact that they believe that not many people are running Windows 2000 Active Directory anymore. I would think that you still probably have quite a bit out there.”

Six of the remaining bulletins were rated important, and address issues in the Microsoft Ancillary Function Driver, the Windows Kernel, Microsoft Server Message Block Protocol, Virtual Address Descriptor, Message Queuing and the Windows Internet Printing Service. The final bulletin is rated “moderate” and fixes a vulnerability in Microsoft Office that could lead to data disclosure.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.