The "critical" fixes are said to repair vulnerabilities that could potentially allow an attacker to take complete control of a computer. Via remote code execution, an attacker could install programs, view, change, or delete data, and create new accounts with full user rights, according to Microsoft.
The four "critical" patches are said to include:
- KB 938464, which resolves vulnerabilities in the Windows GDI (graphics device interface) that could allow remote code execution if a user views a maliciously crafted image file.
- KB 956390, which updates six different vulnerabilities in the Internet Explorer web browser. Without the updates, specially crafted web pages could be used to gain information or execute code remotely, says Microsoft.
- KB 958644, which resolves a "wormable" vulnerability in Windows' Server service. Without the fix, the operating system could allow remote code execution if a system receives a specially crafted RPC (remote procedure call) request.
- KB 954154, resolving a vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media Server. This fix applies only to Update Rollup 1.0, says Microsoft.
Five additional "important" patches include:
- KB 954211, which fixes three vulnerabilities in the Windows kernel that could let an attacker take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users, the company adds.
- KB 953155, which resolves a vulnerability in Windows' IPP (internet printing protocol) service. By changing the way memory is allocated in the service, the fix prevents potential remote code execution, says Microsoft.
- KB 957095, which resolves a vulnerability in the Windows SMB (server message block) protocol. The fix prevents potential remote code execution on servers that are sharing files or folders, the company says.
- KB 956841, which resolves a vulnerability in the way Windows handles memory allocation and VADs (virtual address descriptors). Without the fix, an attacker could gain elevation of privilege by running a specially crafted program, according to Microsoft.
- KB 956803, which resolves a vulnerability in the AFD (ancillary function driver). The fix ensures proper validation of input passed from user mode to the Windows OS kernel, avoiding local execution of code that would let an attacker take complete control of system, says Microsoft.
Finally,
KB 956391 is billed as a "Cumulative Security Update of ActiveX Kill Bits." The update deactivates versions of ActiveX controls that have been deemed flawed by their third-party developers, including versions of Microgaming's download helper, Husdawg's "System Requirements Lab," and PhotoStockPlus's uploader tool, according to Microsoft.
Further informationWith the exception of KB 954154, noted above, the fixes are all for Windows XP Embedded with SP2, Feature Pack 2007, and/or Update Rollup 1.0. For more information on any of them, click on the links provided above, which lead to corresponding entries in Microsoft's online knowledge base.
To obtain the October 2008 batch of security updates, access Microsoft's Mobile and Embedded Communications Extranet (ECE),
here (registration required).
Related stories:
