Microsoft to issue two security patches on Jan. 8
Jan. 5, 2008
Yesterday, Microsoft said that next Tuesday it will be issuing two security patches to repair security flaws in its Windows operating system. One update will be rated critical, the company's most serious security rating, while the other will be tagged as important, its next-lower rating.
Jan. 8's critical update is expected to fix a remote code execution vulnerability found in all currently supported versions of Windows, ranging from Windows 2000 SP-4 up to Windows Vista.
According to Microsoft, this security flaw is especially threatening to users of Windows XP and Vista. The company ranked the flaw critical to those operating systems, but downgraded it to important to Windows Server 2003, and just moderate to Windows 2000 users.
Microsoft provides mostly "bare-bones" information in its prepatch notification. These two security patches are a fix for the Web Proxy Auto-Discovery (WPAD) problem that the company's security team acknowledged in December.
However, it didn't fix in time to make the Dec. 11 batch of updates. The WPAD vulnerability (actually a security flaw in how Windows PCs look up DNS information) was originally patched in 1999, but resurfaced recently when a researcher pointed out that it had crept back into later versions of Windows.
"I'm leaning toward something else, because WPAD doesn't seem to fit with the criticality of this," said Ryan Poppa, lead research engineer at nCircle Inc.
Poppa offered an explanation of his personal interpretation on how Microsoft rated this vulnerability for the different versions of Windows. "It mostly affects the workstations, and not servers," he said, referring to the important rating for Windows Server 2003 and the critical label for XP and Vista.
Poppa added "it might be a fix for a service that's not turned on by default on Windows 2003, but is on XP and Vista. It could be something like Remote Desktop, for example."
Microsoft's update scheduled for January 8 affects all versions of Windows. Because Microsoft classified it as a "local elevation of privilege" (it typically means that an attack requires local access) it ranked the vulnerability as important across the board.
Additionally, Microsoft plans to release five nonsecurity but "high-priority" patches via Microsoft Update and Windows Server Update Services (WSUS).
The software giant also plans two nonsecurity, high-priority updates for Windows on Windows Update and WSUS. Microsoft Update downloads and installs not only fixes for Windows, but also updates for Office and several other Microsoft products.
These two security updates and their associated explanatory bulletins will go live Jan. 8 at around 1 P.M., EST.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing