Microsoft slates single Windows patch for Tuesday

Computerworld - Microsoft Corp. today said it will issue just one security update next week, down dramatically from last month's record-setting eight updates that patched 28 vulnerabilities.

The single security update slated for Tuesday, Jan. 13, has been tagged "critical" by Microsoft, which posted its usual advance notice today of what to expect for its monthly patch cycle.

All current support versions of Windows are affected, said Microsoft. As is often the case, older editions -- Windows 2000, Windows XP and Windows Server 2003 -- are at more risk than the newer Windows Vista and Windows Server 2008. Microsoft rated the threat to the older versions as critical, but pegged the threat to newer editions as "moderate," the second-from-the-bottom rating in the company's four-step scoring system.

Andrew Storms, director of security operations at nCircle Network Security Inc., again put his money on a long-standing Windows bug as the problem Microsoft will patch.

"My guess is that it's the token kidnapping bug," said Storms, who had named the same unpatched vulnerability as a likely suspect before Microsoft's December patching. "There are three outstanding vulnerabilities. That one, WordPad and SQL Server. WordPad isn't in Windows Server 2008," said Storms, who noted that the server software is set for a patch next week. "And if they were going to patch SQL Server, I think they would list it as 'SQL Server,' not 'Windows,'" he added.

Two weeks ago, Microsoft confirmed that it has been working on a fix for a critical vulnerability in SQL Server for almost nine months, but denied that it has had a patch ready since September, as an Austrian security researcher has alleged.

The Windows vulnerability Storms cited was first acknowledged by Microsoft in April 2008, several weeks after researcher Cesar Cerrudo said he would disclose a Windows flaw at an upcoming conference. At the time, Microsoft had downplayed the issue, going so far as to label the problem a "design flaw," not a security bug.

Several months later, Microsoft confirmed that hackers were actively exploiting the bug, which remains unpatched.

"You always have to start with the known," Storms added, referring to the list of open Microsoft issues, "but because this [bug] is in all versions of Windows, it could also be another GDI vulnerability."

Storms was talking about the Graphics Device Interface, the core graphics rendering component of Windows, which has been repeatedly repaired by Microsoft, most recently last month in December's massive 28-patch update.

Another clue that may point to a fix for something other than Cerrudo's bug was Microsoft's designation of the vulnerability as an "elevation of privilege" issue. Typically, Microsoft does not rank that class of vulnerabilities as critical.

"That may be the fly in my ointment," admitted Storms.

Microsoft will release January's sole security update at approximately 1 p.m. EST on Tuesday.