Critical zero-day flaws in Microsoft Service Message Block (SMB) and zero-day vulnerabilities in Microsoft Internet Information Services (IIS) Web server will be addressed by the software maker next week as part of its regularly scheduled release of updates across its product line.
Microsoft said the updates repairing the longstanding vulnerabilities would be among 13 bulletins released Tuesday. Eight Microsoft security bulletins are labeled critical and five important, according to the
"Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible," said Jerry Bryant Microsoft security program manager of Microsoft's decision to identify two of the advisories being addressed next week.
Microsoft issued an advisory early last month acknowledging that exploit code surfaced targeting SMB zero-day vulnerabilities. The SMB is used in Windows to communicate messages to devices on the network such as printers and file sharing devices. The exploit code targets SMV version 2 and was added to the Metasploit testing platform, initially enabling an attacker to remotely crash a computer. Updated code enables an attacker to distribute malware on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server. A one-click "fix-it" workaround was made available temporarily disabling the SMB until a patch is released.
A bulletin will also be released addressing a second serious vulnerability in Microsoft IIS and the availability of exploit code circulating that could enable an attacker to exploit the flaw. According to an advisory issued Sept. 1, the flaws affect Microsoft IIS version 5.0, 5.1 and 6.0, leaving the Web server vulnerable to an FTP attack.
The bulletins address 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Microsoft said most of the updates will require a restart.