Microsoft pencils in two patches for next week
Light load to start 2008 includes critical patch for XP, Vista
Computerworld - Microsoft Corp. will ease into the patch year by issuing just two security updates next week, the company said today.
The updates will fix flaws in Windows, Microsoft said in the prepatch notice. One will be rated "critical," the company's most serious ranking, while the other will be tagged as "important," the next-lower rating.
Tuesday's critical update is expected to patch a remote code execution vulnerability found in all currently supported versions of Windows, ranging from Windows 2000 SP4 to Windows Vista. The bug is especially threatening to users of Windows XP and Vista, according to Microsoft. The company ranked the flaw critical to those operating systems, but important to Windows Server 2003 and "moderate" to Windows 2000.
Although Microsoft provides only bare-bones information in its prepatch notification, this update may be a fix for the Web Proxy Auto-Discovery (WPAD) bug that the company's security team acknowledged a month ago, but didn't fix in time to make the Dec. 11 batch of updates. The WPAD vulnerability -- actually a flaw in how Windows PCs look up DNS information -- was originally patched in 1999, but resurfaced recently when a researcher pointed out that it had crept back into later versions of Windows.
Ryan Poppa, lead research engineer at nCircle Inc., however, had a different idea. "I'm leaning toward something else," said Poppa, "because WPAD doesn't seem to fit with the criticality of this."
Poppa based his speculation on how Microsoft rated the vulnerability for the different versions of Windows. "It mostly affects the workstations, and not servers," he said, referring to the important rating for Windows Server 2003 and the critical label for XP and Vista. "It might be [a fix for] a service that's not turned on by default on Windows 2003, but is on XP and Vista. It could be something like Remote Desktop, for example."
The second update scheduled for next week affects all versions of Windows except Vista. Because Microsoft classified it as a "local elevation of privilege" -- which typically means that an attack requires local access -- it ranked the vulnerability as important across the board.
Microsoft also plans to release five nonsecurity, high-priority updates via Microsoft Update and Windows Server Update Services (WSUS), and two nonsecurity, high-priority updates for Windows on Windows Update and WSUS. Microsoft Update downloads and installs not only fixes for Windows, but also updates for Office and several other Microsoft products.
The two updates and their associated explanatory bulletins will go live Tuesday around 1 p.m. Eastern time.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts