Microsoft releases only one security update this month

gallery

Microsoft confirmed late yesterday it was releasing only the one update this month as part of its regular cycle of monthly security patches.

While administrators are likely to be kept busy by a bumper patch of Oracle updates previewed on Monday, the Windows operating system (OS) maker focused its attention on the threat posed by a potential denial-of-service (DoS) attack vector.

Andrew Clarke, senior international vice president, for security firm Lumension, commented: “After a heavy load of patches in December, IT administrators can kick off the New Year with a light load as Microsoft releases only one security update. The one critical update addresses vulnerability in Windows, which affects all supported Windows versions and may require system reboot.

“This should come as good news for IT administrators, especially after a mammoth December, where Microsoft released eight critical updates to fix 28 vulnerabilities.”

The update in this month’s security bulletin fixes three bugs in the Windows Server Message Block (SMB) file and print service. The update warned: “An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.”

The flaws have been given the highest security rating of ‘critical’ for those organisations running Windows 2000, XP and Windows Server 2003, but are rated ‘moderate’ for Vista and Windows Server 2008 users.

Even the beta version of Microsoft’s upcoming Windows 7 OS released last week is affected by one of the flaws. But its testers will have to wait for the next public release, as the software firm doesn’t address products still in development in its monthly security updates.

Nevertheless, Microsoft said it was unlikely hackers would use the flaw to write exploits that could install malware on an unpatched system.

But one exploit is already known that introduces a DoS attack after an unpatched Vista system crash. And Microsoft added in a blog posting yesterday that enterprise users should patch “SMB servers and domain controllers immediately, since a system DoS would have a high impact”.

It also released an updated version of its Malicious Software Removal Tool designed to eliminate a worm, known as ‘Downadup’ and ‘Conficker’ among other names, that has infected millions of PCs in the past few months.

Clarke said this month’s light bulletin should provide an opportunity to get their ‘housecleaning’ in order to kick off the 2009 security planning process.

“This means getting their vulnerability and patching program in place by ensuring all previous patches, both Microsoft and non-Microsoft, have been deployed across their environment,” he added.

He also highlighted the MS08-67 patch for the remote procedure call (RPC) vulnerability reported back in October 2008, because security experts are starting to see new variants appearing in the wild.

Email to a friend

Print this page