Compared with previous Patch Tuesdays, November's version was quite small with Microsoft releasing only two patches for the Windows operating system: one rated critical and the other important.
The critical patch addresses an issue with how the Windows shell handles URIs. A specially crafted URI could allow an attacker to execute arbitrary code due to an error in the way it is validated. Currently the issue has only been identified to be exploitable through Internet Explorer 7. However, the actual flaw itself is in a shell DLL, which can be found in Windows XP and Server 2003.
Security firm Qualys noted that several patches that address a similar issue within other applications shows that this is likely not limited to IE7. The company also identified Mozilla and Adobe products as being potentially vulnerable. The second patch repairs an 'important' flaw in how Windows handles DNS. A spoofing vulnerability exists where a specially crafted response to a DNS request could redirect legitimate traffic to sites with less than legit purposes, Microsoft said in an advisory.
View: Full Article @ Betanews