We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,773 News Articles

Microsoft plans minor Patch Tuesday for November

Release to repair Microsoft XML Core Services

Microsoft has announced it will release just two security updates during November's Patch Tuesday round of updates.

The release has significantly fewer updates than October's security release, which featured 11 patches.

One of the two will be rated 'critical', Microsoft's highest threat ranking, while the other will be tagged as 'important', the next-lowest rating. Both of the updates will address vulnerabilities that can be used to execute remote code, a description that generally means hackers could leverage the bugs in order to plant their own malicious code on vulnerable PCs, often by convincing users to open a file attachment or tricking them into visiting a rogue website.

The most serious of the pair targets one or more flaws in Microsoft XML Core Services, and will require patching all still-supported editions of Windows - including Windows 2000, XP, Vista, Server 2003 and Server 2008 - as well as Office 2003 , Office 2007, SharePoint Server 2007 and Groove Server 2007.

XML Core Services has been patched twice in the past, most recently in August 2007, as part of a 14-fix package that ranked among the biggest that year. XML Core Services is the component that provides interoperability between several scripting languages, including JScript, Visual Studio and XML applications, and lets developers use those languages to access XML documents.

Another flaw in the service was addressed in November 2006, when Microsoft patched a bug that had been actively exploited before the fix was issued. Microsoft warned that XML Core Services 3.0, 4.0, 5.0 and 6.0 would need to be patched on Tuesday.

The second update, ranked important, will patch all versions of Windows to plug one or more unspecified holes.

As it did last month, Microsoft will also predict whether criminals will be likely to come up with attack code in the next 30 days. In October, when it debuted the 'Exploitability Index', Microsoft labeled eight of the month's 20 total vulnerabilities with the 'consistent exploit code likely' tag, seven with the 'inconsistent exploit code likely' phrase, and four with 'functioning exploit code unlikely'.

The company has already deployed one security update since the last Patch Tuesday. On October 23, it released an emergency fix for a critical bug in the Windows Server service, saying that it had found attacks exploiting the vulnerability. Later, Joe Stewart, a noted security researcher at SecureWorks said his investigation had uncovered a small number of infected PCs - fewer than 200 - that triggered Microsoft's decision to patch out-of-cycle.


IDG UK Sites

Windows 9 release date, price, features: 30 September marked for unveiling

IDG UK Sites

Gateway to your kingdom: why everybody should check and update their broadband router

IDG UK Sites

Netflix whips up 3D VR viewing room for Oculus Rift during company hack day

IDG UK Sites

Best Mac? Complete Apple Mac buyers guide for 2014